Skip to main content
Lantern Home

 

Splunk Lantern

Logging output from AWS Cloudwatch

  1. Last updated
  2. Save as PDF

Like CloudWatch metrics, CloudWatch logs can be collected for a wide range of AWS infrastructure. After CloudWatch logs are collected in the Splunk platform, the full power of Splunk search processing language can be applied to help accelerate incident investigations involving cloud infrastructure.

Data required

AWS: CloudWatch logs

How to use Splunk software for this use case

  1. Configure the Splunk Add-on for Amazon Web Services.
  2. Ensure that your deployment is ingesting AWS data. There are multiple methods of doing so. For detailed information on the different approaches, see Getting AWS data into the Splunk platform. In general, you will do one of the following:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into the Splunk platform is the easier and more scalable method.
  3. Run the following search: 
    index="<AWS index name>" sourcetype="aws:cloudwatchlogs" source="*"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:cloudwatchlogs" Search the indexes where AWS data is stored filtered to just the AWS CloudWatch Logs source type.
source="*" Search all sources.

Next steps

You can tailor this search to your investigation or troubleshooting needs in two ways:

  • Update the source filter to return logs from a specific log group, such as the log group associated with a certain Lambda function.
  • Add keywords to the search. For example, adding (error OR fail*) to the search might help uncover AWS resources that have experienced errors recently.

You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.