You might want to retrieve basic information about your elastic compute cloud (EC2) instances when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Add-on |
Required |
|
|
App |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
Your organization has a large number of EC2 instances currently deployed to AWS. You want to see which of them are running so you can decide whether to terminate those not in use in order to save on cloud cost.
- Run the following search:
source="*:ec2_instances" sourcetype="aws:description"
|dedup id sortby -_time
|table account_id region id, instance_type image_id ip_address state
|sort +state
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
source="*:ec2_instances" sourcetype="aws:description" |
Search your EC2 instances filter by source and sourcetype. |
|
|dedup id sortby -_time |
Remove duplicate instances by ID and sort the remaining results with the most recent instances first. |
|
|table account_id region id, instance_type image_id ip_address state |
Display the results in a table with columns in the order shown. |
|
|sort +state |
Sort the results by state in ascending order. |
Result
Sample results for this search are shown in the table below. It provides an inventory of running instances, including their types, region, network address, and state.
|
account_id |
region |
id |
instance_type |
image_id |
ip_address |
state |
|
123456789 |
ap-southeast-1 |
i-222222 |
m3.2xlarge |
ami-c6634294 |
null |
running |
|
63605715280 |
ap-southeast-1 |
i-3f3152b1 |
t2.micro |
ami-c9b572aa |
54.169.12.168 |
running |
|
123456789 |
ap-southeast-1 |
i-444444 |
m3.xlarge |
ami-c6634294 |
null |
running |
|
123456789 |
ap-southeast-1 |
i-55555 |
m3.2xlarge |
ami-c6634294 |
null |
running |
|
123456789 |
ap-southeast-1 |
i-99999 |
m3.2xlarge |
ami-c6634294 |
null |
running |
|
123456789 |
ap-southeast-1 |
i-66666 |
m3.2xlarge |
ami-c6634294 |
null |
running |
|
63605715280 |
ap-southeast-1 |
i-3181671a |
c3.2xlarge |
ami-64a9f236 |
54.169.28.253 |
running |
The sources hold a large number of other fields that could be useful to track. Examples include launch time and memory capacity. You can use this and other, similar searches to build inventory reports. Then, inventory data such as usage, age and location can be used to find efficiencies, which are important in a cloud environment due to usage fees. This type of information can help you maintain infrastructure in the most cost effective way.
Comments
0 comments
Please sign in to leave a comment.