Cloudwatch metrics can be collected on almost any type of AWS infrastructure and subsequently collected into a Splunk deployment. This central metric collection mechanism allows you to gain immediate visibility into the health and performance of AWS infrastructure across regions and accounts without additional instrumentation.
AWS: Cloudwatch dataProcedure
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search:
index="<AWS index name>" sourcetype="aws:cloudwatch" metric_name="<metric name>" metric_dimensions="*<ID>*" | eval final=metric_dimensions.": ".metric_name | timechart avg(Average) AS Average BY final
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="<AWS index name>" sourcetype="aws:description"||Search the index(s) where AWS data is stored filtered to just the AWS description data.|
|metric_name="<metric name>" metric_dimensions="*<ID>*"||Filter the metrics and resources down to a subset of the data you wish to visualize, replacing the metric name and AWS ID as needed for your metrics and resources. Multiple values and wildcards are acceptable.|
|| eval final=metric_dimensions.": ".metric_name||Create a separate metric line for each metric and resource.|
|| timechart avg(Average) AS Average BY final||Plot the average value for each metric and resource.|