You might want to retrieve basic information about your elastic load balancer (ELB) instances when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
- AWS description data
- Splunk Add-on for Amazon Web Services
Example
Your organization has a large number of ELB instances currently deployed to AWS. You want to be able to quickly take an inventory of all of them, as well as their configured fully qualified domain names (FQDN), to better manage your cloud infrastructure.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
source="*_load_balancers" sourcetype="aws:description"
|eval name=if(isnull(name),LoadBalancerName,name), vpc_id=if(isnull(vpc_id),VpcId,vpc_id), dns_name=if(isnull(dns_name),DNSName,dns_name), id=((((name . "#") . account_id) . "#") . region)
|dedup id sortby - created_time
|table account_id created_time region name dns_name vpc_id
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
source="*_load_balancers" sourcetype="aws:description" |
Search only your load balancers and filter by description data. |
|
|eval name=if(isnull(name),LoadBalancerName,name), vpc_id=if(isnull(vpc_id),VpcId,vpc_id), dns_name=if(isnull(dns_name),DNSName,dns_name), id=((((name . "#") . account_id) . "#") . region) |
If the name field is null, set it to the value in LoadBalancer, otherwise set name to name. Repeat for the vpc_id and dns_name fields. Create the id field as a concatenation of name, account_id, and region with the “#” in between. |
|
|dedup id sortby - created_time |
Remove duplicate instances by ID and sort the remaining results with the most recent instances first. |
|
|table account_id created_time region name dns_name vpc_id |
Display the results in a table with columns in the order shown. |
Result
Sample results for this search are shown in the table below. Created_time is an interesting field to sort on because you could determine how long the ELB has been in service. The table also shows information on network dns, virtual private cloud id, location, and account owner. Other fields that are available but not shown below include subnets, ports, protocols, listener, and instance state and ssl_certificate_id. Depending on the information you are trying to track, these might be of interest to add to the table or track separately.
|
account_id |
created_time |
region |
name |
dns_name |
vpc_id |
|
63605715280 |
2015-11-11T06:00:57.730Z |
ap-southeast-1 |
TestELB3 |
TestELB2-1018970143.ap-southeast-1.elb.amazonaws.com |
vpc-d2d110ba |
|
63605715280 |
2015-11-11T06:00:57.730Z |
ap-southeast-1 |
TATestELB6 |
TestELB2-1018970143.ap-southeast-1.elb.amazonaws.com |
vpc-d2d110ba |
|
63605715280 |
2015-12-09T09:01:33.070Z |
ap-southeast-1 |
SaaSQATestELB3 |
SaaSQATestELB3-792083005.ap-southeast-1.elb.amazonaws.com |
vpc-d2d110ba |
|
63605715280 |
2015-12-11T10:05:10.170Z |
ap-southeast-1 |
TAtestelb3 |
saastestelb-1720685174.ap-southeast-1.elb.amazonaws.com |
vpc-d2d110ba |
|
63605715280 |
2015-11-12T14:54:21.170Z |
ap-southeast-1 |
TATestELB5 |
TestELB1-2109315026.ap-southeast-1.elb.amazonaws.com |
vpc-d2d110ba |
Comments
0 comments
Please sign in to leave a comment.