Current AWS Elastic Compute Cloud (EC2) instances

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Your organization has a large number of EC2 instances currently deployed to AWS. You want to see which of them are running so you can decide whether to stop the ones not in use in order to save on cloud cost.

Data required

AWS: Description data

Procedure

Configure the Splunk Add-on for Amazon Web Services.
Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source="*:ec2_instances" sourcetype="aws:description"
|dedup id sortby -_time
|table account_id region id, instance_type image_id ip_address state
|sort +state

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`source="*:ec2_instances" sourcetype="aws:description"`	Search only your EC2 instances and filter by description data.
`\|dedup id sortby -_time`	Remove duplicate instances by ID and sort the remaining results with the most recent instances first.
`\|table account_id region id, instance_type image_id ip_address state`	Display the results in a table with columns in the order shown.
`\|sort +state`	Sort the results by state in ascending order.

Next steps

Sample results for this search are shown in the table below. It provides an inventory of running instances, including their types, region, network address, and state.

`account_id`	`region`	`id`	`instance_type`	`image_id`	`ip_address`	`state`
`123456789`	`ap-southeast-1`	`i-222222`	`m3.2xlarge`	`ami-c6634294`	`null`	`running`
`63605715280`	`ap-southeast-1`	`i-3f3152b1`	`t2.micro`	`ami-c9b572aa`	`54.169.12.168`	`running`
`123456789`	`ap-southeast-1`	`i-444444`	`m3.xlarge`	`ami-c6634294`	`null`	`running`
`123456789`	`ap-southeast-1`	`i-55555`	`m3.2xlarge`	`ami-c6634294`	`null`	`running`
`123456789`	`ap-southeast-1`	`i-99999`	`m3.2xlarge`	`ami-c6634294`	`null`	`running`
`123456789`	`ap-southeast-1`	`i-66666`	`m3.2xlarge`	`ami-c6634294`	`null`	`running`
`63605715280`	`ap-southeast-1`	`i-3181671a`	`c3.2xlarge`	`ami-64a9f236`	`54.169.28.253`	`running`

The sources hold a large number of other fields that could be useful to track. Examples include launch time and memory capacity. You can use this and other, similar searches to build inventory reports. Then, inventory data such as usage, age, and location can be used to find efficiencies, which are important in a cloud environment due to usage fees. This type of information can help you maintain infrastructure in the most cost effective way.

You might also want to look at other searches in Managing an Amazon Web Services environment.