Unattached AWS elastic block store volumes
Unattached EBS volumes represent storage that's allocated but not in use or accessible to any system. You want to see which of your EBS volumes are unattached so you can decide if they should be deleted to save on cloud costs.
Data required
AWS description data
Example
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="aws:description" region="*" source="*:ec2_volumes" status!="in-use" |dedup id sortby -_time |rename "attach_data.instance_id" AS instanceId |table account_id id region instanceId size status type
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype="aws:description" region="*" |
Search only your EC2 volumes and filter by description data for all regions. |
|
status!="in-use" |
Return only volumes where the status is not "in use." |
|
|dedup id sortby -_time |
Remove duplicate instances by ID and sort the remaining results with the most recent instances first. |
|
|rename "attach_data.instance_id" AS instanceId |
Rename the field as shown for better readability. |
|
|table account_id id region instanceId size status type |
Display the results in a table with columns in the order shown. |
Next steps
Sample results for this search are shown in the table below. The volumes listed are not in use and could be eligible for deletion or archiving to less expensive storage.
| account_id | id | region | instanceId | size | status | type |
|---|---|---|---|---|---|---|
|
63605715280 |
vol-c884c715 |
ap-southeast-1 |
null |
80 |
available |
standard |
|
63605715280 |
vol-c880c7c1 |
ap-southeast-1 |
null |
80 |
available |
standard |
|
63605715280 |
vol-c990c709 |
ap-southeast-1 |
null |
80 |
available |
standard |
|
63605715280 |
vol-s9821717 |
ap-southeast-1 |
null |
100 |
available |
gp2 |
|
63605715280 |
vol-c898c701 |
ap-southeast-1 |
null |
80 |
available |
standard |
|
63605715280 |
vol-c891c7c1 |
ap-southeast-1 |
null |
80 |
available |
standard |
The AWS app does a similar search and provides additional insight for EBS volumes, including Non-Optimized EBS, no recent snapshot, and large and small IOPS. These can be found by navigating to EBS Insights > Insights Filter.
Finally, you might be interested in other processes associated with the Managing an Amazon Web Services environment use case.