Elastic IPs that are not attached to an instance might be candidates for release in order to save on cloud cost. You need a list of Elastic IP addresses which have been allocated but are not being used.
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index="<AWS-INDEX>" sourcetype="aws:description" source="*:ec2_addresses" instance_id="null" network_interface_id="null" | dedup allocation_id | table account_id region public_ip
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="<AWS index name>" sourcetype="aws:description" source="*:ec2_addresses"||Search the index(s) where AWS data is stored and filter down to Elastic IP address events only.|
|instance_id="null" network_interface_id="null"||Filter the results where the Elastic IP is not associated to an instance or a network interface.|
|| dedup allocation_id||Remove duplicate results by allocation_id to obtain the most recent record for each Elastic IP.|
|| table account_id region public_ip||Display the results in a table with columns in the order shown.|
Use these results to decide what cost-saving measures you should take.
You might also want to look at similar searches in our article Managing an Amazon Web Services environment.