Current AWS elastic block store volumes

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Insights into how many, what size, what types, current snapshot size, and usage of EBS volumes are all valuable information for cost and potential performance ramifications. In addition, unused EBS volumes are very common and eliminating them provides an easy way to reduce cost in your AWS environment. As an IT administrator, you want to start monitoring this information.

Data required

AWS: Description data

Procedure

Configure the Splunk Add-on for Amazon Web Services.
Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source="*:ec2_volumes" sourcetype="aws:description"
|dedup id sortby -_time
|table account_id zone id snapshot_id type size  attach_data.instance_id status
|sort -status

Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`source="*:ec2_volumes" sourcetype="aws:description"`	Search only your EC2 volumes and filter by description data.
`\|dedup id sortby -_time`	Remove duplicate instances by ID and sort the remaining results with the most recent instances first.
`\|table account_id zone id snapshot_id type size attach_data.instance_id status`	Display the results in a table with columns in the order shown.
`\|sort -status`	Sort the results by status in descending order.

Next steps

Sample results for this search are shown in the table below. They serve as a good baseline for understanding the EBS inventory, scale, location, type, and usage.

`account_id`	`zone`	`id`	`snapshot_id`	`type`	`size`	`attach_data.instance_id`	`status`
`63605715280`	`ap-southeast-1a`	`vol-1823a616`	`snap-b71cfa5b`	`standard`	`500`	`i-18472f4e`	`in-use`
`63605715280`	`ap-southeast-1b`	`vol-f01626f8`	`snap-742b7598`	`standard`	`300`	`i-33b05718`	`in-use`
`63605715280`	`ap-southeast-1b`	`vol-f05c08f8`	`snap-bdf1b850`	`standard`	`250`	`i-6e6a4e46`	`in-use`
`63605715280`	`ap-southeast-1b`	`vol-i9920707`	`snap-b71cfa5b`	`gp2`	`100`	`null`	`available`

The sample shown can be augmented by many other fields in this source and source type data. Another useful field is attach_data, which includes the attach time and the deleteOnTermination flag. Knowing these would help you understand the age of volumes and could inform a cost reducing policy that requires justification for volumes that are past a certain age. Delete on termination is the default behavior for root volumes. You may want to expand that behavior to other volumes with data that is considered ephemeral. If the data needs to be retained, then having the age of the volume is used for archiving decisions.

Inventory data such as usage, age and location can be used to find efficiencies, which are important in a cloud environment due to usage fees. This type of information can help you maintain infrastructure in the most cost effective way.

Finally, you might be interested in other processes associated with the Managing an Amazon Web Services environment use case.