Skip to main content
 
 
 
Splunk Lantern

Unused Elastic IPs with no attached instances

 

Elastic IPs that are not attached to an instance might be candidates for release in order to save on cloud cost. You need a list of Elastic IP addresses which have been allocated but are not being used.

Data required

AWS: Cloudwatch data

Procedure

  1. Configure the Splunk Add-on for Amazon WebServices.
  2. Ensure that your deployment is ingesting AWS data through one of the following methods:
    1. Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
    2. Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    index="<AWS-INDEX>" sourcetype="aws:description" source="*:ec2_addresses" 
    instance_id="null" network_interface_id="null"
    | dedup allocation_id
    | table account_id region public_ip
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:description" source="*:ec2_addresses" Search the indexes where AWS data is stored and filter down to Elastic IP address events only.
instance_id="null" network_interface_id="null" Filter the results where the Elastic IP is not associated to an instance or a network interface.
| dedup allocation_id Remove duplicate results by allocation_id to obtain the most recent record for each Elastic IP.
| table account_id region public_ip Display the results in a table with columns in the order shown.

Next steps

Use these results to decide what cost-saving measures you should take.

You might also want to look at other searches in Managing an Amazon Web Services environment.