Skip to content

Saved searches for the Splunk Add-on for AWS

To enable or disable a saved search, follow these steps:

  1. From the Settings menu, choose Searches, reports, and alerts.
  2. Locate the saved search by filtering the list or entering the name of the saved search in the filter field to search for it.
  3. Under the Actions column of the saved search list, select Edit > Enable/Disable to enable or disable the saved search.

Saved searches cannot be scheduled using a free license.

The “Addon Metadata - Summarize AWS Inputs” saved search is disabled by default, but you must enable this saved search in order to aggregate inputs and accounts data in the summary index.

The Splunk Add-on for AWS includes the following saved searches:

Name Search
AWS Bill - Monthly Latest Snapshot 
index="<your index>" eventtype=aws_billing_monthly_report [search index="<your index>"] eventtype=aws_billing_monthly_report [search eventtype=aws_billing_monthly_report | dedup report_month sortby -_time | return 1000 S3KeyLastModified]
AWS Bill - Detailed Cost Latest Snapshot 
index=<"your index"> eventtype=aws_billing_detail_report [search index=<"your index">] eventtype=aws_billing_detail_report  [search eventtype=aws_billing_detail_report RecordType=StatementTotal | dedup report_month sortby -_time | return 1000 S3KeyLastModified]
AWS Bill - Total Cost until Now 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=StatementTotal | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode display.general.type = statistics display.visualizations.show = 0 request.ui_dispatch_view = search
AWS Bill - Total Cost until Now by Service 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=LinkedLineItem | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by ProductName
AWS Bill - Total Cost until Now by Linked Account 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=AccountTotal  | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by LinkedAccount
AWS Bill - Monthly Cost 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=StatementTotal | timechart span=1mon sum(TotalCost) as TotalCost
AWS Bill - Monthly Cost by Service 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=LinkedLineItem  | timechart span=1mon sum(TotalCost) as TotalCost by ProductName limit=20
AWS Bill - Monthly Cost by Linked Account 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=AccountTotal | timechart span=1mon sum(TotalCost) by LinkedAccount limit=20
AWS Bill - Current Month Cost until Now 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=StatementTotal | eval date_month=strftime(_time, "%Y-%m") | eval current_month=strftime(now(), "%Y-%m") | where date_month=current_month | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode display.general.type = statistics display visualizations.show = 0 request.ui_dispatch_view = search
AWS Bill - Current Month Cost until Now by Service 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=LinkedLineItem | eval date_month=strftime(_time, "%Y-%m") | eval current_month=strftime(now(), "%Y-%m") | where date_month=current_month | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by ProductName
AWS Bill - Current Month Cost until Now by Linked Account 
| savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=AccountTotal | eval date_month=strftime(_time, "%Y-%m") | eval current_month=strftime(now(), "%Y-%m") | where date_month=current_month | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by LinkedAccount
AWS Bill - Daily Cost through Last Month - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem | timechart span=1day sum(BlendedCost) as TotalCost
AWS Bill - Daily Cost through Last Month by Service - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(BlendedCost) as TotalCost by ProductName limit=20
AWS Bill - Daily Cost through Last Month by Linked Account - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(BlendedCost) as TotalCost by LinkedAccount limit=20
AWS Bill - Total Cost through Last Month by Region - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  stats sum(BlendedCost) as TotalCost by AvailabilityZone
AWS Bill - Monthly Cost through Last Month by Region - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1mon sum(BlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Daily Cost through Last Month by Region - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(BlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Total Daytime Cost through Last Month - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour>=7 AND date_hour<=17) | stats sum(BlendedCost) as TotalCost display.general.type = statistics display.visualizations.show = 0 request.ui_dispatch_view = search
AWS Bill - Total Nighttime Cost through Last Month - Blended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour < 7 OR date_hour > 17) | stats sum(BlendedCost) as TotalCost display.general.type = statistics display.visualizations.show = 0 request.ui_dispatch_view = search
AWS Bill - Daily Cost through Last Month - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(UnBlendedCost) as TotalCost
AWS Bill - Total Cost through Last Month by Region - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  stats sum(UnBlendedCost) as TotalCost by AvailabilityZone
AWS Bill - Daily Cost through Last Month by Service - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(UnBlendedCost) as TotalCost by ProductName limit=20
AWS Bill - Daily Cost through Last Month by Linked Account - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(UnBlendedCost) as TotalCost by LinkedAccount limit=20
AWS Bill - Monthly Cost through Last Month by Region - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1mon sum(UnBlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Daily Cost through Last Month by Region - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(UnBlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Total Daytime Cost through Last Month - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour>=7 AND date_hour<=17) | stats sum(UnBlendedCost) as TotalCost display.general.type = statistics display.visualizations.show = 0 request.ui_dispatch_view = search
AWS Bill - Total Nighttime Cost through Last Month - Unblended 
| savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour < 7 OR date_hour > 17) | stats sum(UnBlendedCost) as TotalCost display.general.type = statistics display.visualizations.show = 0 request.ui_dispatch_view = search
Addon Metadata - Migrate AWS Accounts 
| listawsaccounts | collect aws-account-index
Addon Metadata - Summarize AWS Inputs 
disabled = 1 enableSched = 1 cron_schedule = 0 * * * * dispatch.earliest_time = 0 dispatch.latest_time = now search = | listawsinputs | collect aws-input-index