You might want to retrieve basic information about your elastic block store (EBS) volumes when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Add-on |
Required |
|
|
App |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
Insights into how many, what size, what types, current snapshot size, and usage of EBS volumes are all valuable information for cost and potential performance ramifications. In addition, unused EBS volumes are very common and eliminating them provides an easy way to reduce cost in your AWS environment. As an IT administrator, you want to start monitoring this information.
- Run the following search:
source="*:ec2_volumes" sourcetype="aws:description"
|dedup id sortby -_time
|table account_id zone id snapshot_id type size attach_data.instance_id status
|sort -size -status
Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
source="*:ec2_volumes" sourcetype="aws:description" |
Search your EC2 volumes filtering by source and sourcetype as shown. |
|
|dedup id sortby -_time |
Remove duplicate instances by ID and sort the remaining results with the most recent instances first. |
|
|table account_id zone id snapshot_id type size attach_data.instance_id status |
Display the results in a table with columns in the order shown. |
|
|sort -size -status |
Sort the results by size and status in descending order. |
Result
Sample results for this search are shown in the table below. They serve as a good baseline for understanding the EBS inventory, scale, location, type, and usage.
|
account_id |
zone |
id |
snapshot_id |
type |
size |
attach_data.instance_id |
status |
|
63605715280 |
ap-southeast-1a |
vol-1823a616 |
snap-b71cfa5b |
standard |
500 |
i-18472f4e |
in-use |
|
63605715280 |
ap-southeast-1b |
vol-f01626f8 |
snap-742b7598 |
standard |
300 |
i-33b05718 |
in-use |
|
63605715280 |
ap-southeast-1b |
vol-f05c08f8 |
snap-bdf1b850 |
standard |
250 |
i-6e6a4e46 |
in-use |
|
63605715280 |
ap-southeast-1b |
vol-i9920707 |
snap-b71cfa5b |
gp2 |
100 |
null |
available |
The sample shown can be augmented by many other fields in this source and sourcetype data. Another useful field is attach_data, which includes the attach time and the deleteOnTermination flag. Knowing these would help you understand the age of volumes and could inform a cost reducing policy that requires justification for volumes that are past a certain age. Delete on termination is the default behavior for root volumes. You may want to expand that behavior to other volumes with data that is considered ephemeral. If the data needs to be retained, then having the age of the volume is used for archiving decisions.
Inventory data such as usage, age and location can be used to find efficiencies, which are important in a cloud environment due to usage fees. This type of information can help you maintain infrastructure in the most cost effective way.
Comments
0 comments
Please sign in to leave a comment.