Configure alerts for the Splunk Add-on for AWS¶
Complete the steps to configure and use the Simple Notification Service (SNS) alerts for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
- Configure AWS services for SNS alerts.
- Configure AWS permissions for SNS alerts
- Create an SNS alert search.
- Use the alert action.
To use the search commands and alert actions included with the Splunk Add-on for AWS, you must either be an administrator or a user with the appropriate capability:
list_storage_passwordsif you are using Splunk Enterprise 6.5.0 or higher.admin_all_objectsif you are using a version of Splunk Enterprise lower than 6.5.0.
Configure AWS permissions for SNS alerts¶
Required permissions for Amazon SNS:
PublishGet*List*
See the following sample inline policy to configure SNS alert permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish",
"sns:Get*",
"sns:List*"
],
"Resource": "*"
}
]
}
Use the awssnsalert search command¶
Use the search command, awssnsalert, to send alerts to AWS SNS.
The following example search demonstrates how to use this search command:
...\| eval message="My Message" \| eval entity="My Entity" \|
eval correlation_id="1234567890" \| awssnsalert account=real
region="ap-southeast-1" topic_name="ta-aws-sns-ingestion"
publish_all=1
Use the following table to create an SNS alert search. All attributes are required:
| Attribute | Description |
|---|---|
account |
The AWS account name configured in the add-on. |
region |
The AWS region name. |
topic_name |
The alert message is sent to this AWS SNS topic name. |
message |
The message that the Splunk Add-on for AWS sends to AWS SNS. |
publish_all |
You can set publish_all to 0 or 1. If you set publish_all=1, the add-on sends all the records in this search. If you set publish_all=0, the add-on sends only the first result to the search. The default value of this field is 0. |
Use the alert action¶
The Splunk Add-on for AWS supports automatic incident and event creation and incident update from custom alert actions. Custom alert actions are available in Splunk Enterprise version 6.3.0 and higher.
To create a new incident or event from a custom alert action, follow these steps:
- In Splunk Web, navigate to the Search & Reporting app.
- Write a search string that you want to use to trigger incident or event creation in AWS SNS. Click Save As > Alert.
- Fill out the Alert form. Give your alert a unique name and indicate whether the alert is a real-time alert or a scheduled alert. See Getting started with alerts in the Alerting Manual for more information.
- Under Trigger Actions, click Add Actions.
- From the list, select AWS SNS Alert if you want the alert to create an event in AWS SNS.
- Enter values for all required fields, as shown in the following table:
| Field | Description |
|---|---|
| Account | Required. The account name configured in Splunk Add-on for AWS. |
| Region | Required. The region of AWS SNS the events are sent to. Make sure the region is consistent with AWS SNS. |
| Topic Name | Required. The name of the topic the events are sent to. Make sure the topic name exists in AWS SNS. |
| Correlation ID | Optional. The ID that correlates this alert with the other events. If you leave this field empty, it uses $result.correlation_id$ by default. |
| Entity | Optional. The object related to the event or alert, such as host, database, or EC2 instance. If you leave this field empty, Splunk Enterprise uses $result.entity$ by default. |
| Source | Optional. The source of the event or alert. If you leave this field empty, Splunk Enterprise uses $result.source$ by default. |
| Timestamp | Optional. The time of the event occurs. If you leave this field empty, the Splunk Enterprise uses $result._time$ by default. |
| Event | Optional. The details of the event. If you leave this field empty, the Splunk Enterprise uses $result._raw$ by default. |
| Message | Required. The message that the Splunk Add-on for AWS sends to AWS SNS. |