For your consideration - you might want to update the readme stating people have to go and accept the license agreement before launching.

http://aws.amazon.com/marketplace/pp?sku=7azvchdfh74dcxoiwjhztgpel

Could you update https://splunk-cloud.s3.amazonaws.com/chefrepo.tar.gz so it installs the latest version of splunk?

The chef config has splunk versions specified thus

chefrepo/cookbooks/splunk/attributes/versions.rb:default['splunk']['server_version'] = "6.0.1"
chefrepo/cookbooks/splunk/attributes/versions.rb:default['splunk']['forwarder_version'] = "6.0.1"

I could open my vpc to access the chef server or some other method to change this but shouldn't it just work?

Just ran into situation with a customer where neither single nor multi really fits well. First, for several reasons, I don't think we want to suggest that index replication is mandatory (and most customers don't use it today). And if that's not used, then the cluster master goes away.

By tossing in index replication, we are upping the EC2 count, the EBS sizes are impacted by the search & replication factor, and ongoing configuration is made much more complicated. If one doesn't have strict HA/DR requirements, then EBS snapshots will often suffice for continuity plans.

Therefore, I propose a new "distributed" or "mid" template that is closer to single, than multi. It would only create:

• 1 search head
• N indexers configured as search peers

And that's pretty much it.

I've tried hacking up the templates a bit and redirected all s3 links to my own and copied the cookbooks.tar.gz and roles.tar.gz from the splunk-cloud bucket. I modified versions.rb within attributes to use the most current version of Splunk and zipped the package back up and uploaded to my s3 bucket. I can confirm the archives are publicly available and downloadable without issue however I receive "failed to run run chef-solo" upon the first instance creation. Any suggestions?

It's great to see that something is moving in this space( Splunk in AWS cloud ). It would be nice to see some recommendations for deploying Splunk in AWS, e.g. what instance types, how many PIOPS, use of ELB and indexers or define Auto Scaling alarms for indexers.

(I've posted the same comment on blog.splunk.com but it's still in moderation queue, so I'm using more direct approach )

As per http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#creds, use the noecho parameter for password entry fields.

Receiving the following error when using the master template. It fails and begins to rollback upon creating the bastion host.

Embedded stack arn:aws:cloudformation:us-west-2:429815655062:stack/splunk-cfn-test-BastionHost-1H10C7FAQK3H/7827fbc0-2763-11e5-b9e4-50442edf8e6e was not successfully created: The following resource(s) failed to create: [BastionSecurityGroup, CfnUser].

Hi,

While working with the vpc master template, I found that the bastion host creation fails when trying to use an existing key pair. I encountered this issue when following these steps:

1. Create the splunk stack
2. Delete splunk stack
3. Create a new splunk stack in the same region.

Thanks
Rashmi

I see the below issue when trying to run a small deployment

6:45:26 UTC-0700 CREATE_FAILED AWS::CloudFormation::Stack Master-BastionHost-KBPI1BOJYH7P The following resource(s) failed to create: [ControllerCondition].
16:45:25 UTC-0700 CREATE_FAILED AWS::CloudFormation::WaitCondition ControllerCondition WaitCondition received failed message: 'Failed to run cfn-init' for uniqueId: i-94dc6a56

As per CF docs http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html, use the parameter type AWS::EC2::KeyPair::KeyName for ease in data entry.

So, trying to use the template and wasn't able to even get it going. Information below. Not exactly sure what the issue is, so any assistance would be great.

I am logged into our account as an Admin with full access (have run templates before) so I know it's not an access issue.

Thanks!!!

Template location: https://splunk-cloud-us-west-2.s3.amazonaws.com/cloudformation-templates/splunk_cluster.template

Region: US-West-2

Template Variables:

Stack name - {Name}
CIDRBlock - 0.0.0.0/0
ClusterSecurityKey - {Key}
ClusterSize - 3
HostedZoneName: [Blank]
InstanceType - c4.xlarge
KeyName - {KeyName}
SplunkLicenseBucket - {BucketName}
SplunkLicensePath - {LicenseURL}
Subdomain - [Blank]
SubnetCount - 2
SubnetIds - subnet-{ID}, subnet-{ID}
VpcId - vpc-{ID}

Console Error: Template validation error: Template format error: Unresolved resource dependencies [MasterNode] in the Resources block of the template

**MasterNode section from template**:

    "MasterNode" : {
      "Type" : "AWS::CloudFormation::Stack",
      "Condition": "AddLicenseMaster",
      "Metadata" : {
        "Comment" : "Splunk cluster master node + license master."
      },
      "Properties" : {
        "TemplateURL" : { "Fn::Join" : ["/", [{ "Fn::FindInMap" : [ "AWSRegion2s3Bucket", { "Ref" : "AWS::Region" }, "s3Bucket" ]},
                          "cloudformation-templates", "splunk_server.template" ]]},
        "Parameters" : {
          "VpcId"          : { "Ref" : "VpcId" },
          "SubnetId"       : { "Fn::Select" : [ "0", { "Ref" : "SubnetIds" } ] },
          "InstanceType"   : { "Ref" : "InstanceType" },
          "KeyName"        : { "Ref" : "KeyName" },
          "SecurityGroup"  : { "Ref" : "SplunkClusterMasterSecurityGroup" },
          "ClusterSecurityKey" : { "Ref" : "ClusterSecurityKey" },
          "SplunkLicenseBucket" : { "Ref" : "SplunkLicenseBucket" },
          "SplunkLicensePath" : { "Ref" : "SplunkLicensePath" },
          "SplunkRole"     : "cluster-master",
          "ResourceName"   : "MasterNode"
        }
      }
    },

    "MasterNode" : {
      "Type" : "AWS::CloudFormation::Stack",
      "Condition": "SkipLicenseMaster",
      "Metadata" : {
        "Comment" : "Splunk cluster master node."
      },
      "Properties" : {
        "TemplateURL" : { "Fn::Join" : ["/", [{ "Fn::FindInMap" : [ "AWSRegion2s3Bucket", { "Ref" : "AWS::Region" }, "s3Bucket" ]},
                          "cloudformation-templates", "splunk_server.template" ]]},
        "Parameters" : {
          "VpcId"          : { "Ref" : "VpcId" },
          "SubnetId"       : { "Fn::Select" : [ "0", { "Ref" : "SubnetIds" } ] },
          "InstanceType"   : { "Ref" : "InstanceType" },
          "KeyName"        : { "Ref" : "KeyName" },
          "SecurityGroup"  : { "Ref" : "SplunkClusterMasterSecurityGroup" },
          "ClusterSecurityKey" : { "Ref" : "ClusterSecurityKey" },
          "SplunkRole"     : "cluster-master",
          "ResourceName"   : "MasterNode"
        }
      }
    },

when the aws-setup script is updated, the profile information at the top will get overwritten every time. Look to see if we can have user input for the profile name, or, move the config information to a different config file.

Loading the master.template on CloudFormation with 2 indexers, I get the following error in the middle of the process:

16:20:06 UTC-0400 CREATE_FAILED AWS::CloudFormation::Stack BastionHost Embedded stack arn:aws:cloudformation:us-east-1:926291082449:stack/Splunk-BastionHost-1JDRJ8V6LBJVQ/189bfc50-5d79-11e5-bea4-50fa1dbb2c64 was not successfully created: The following resource(s) failed to create: [ControllerCondition].
Physical ID:arn:aws:cloudformation:us-east-1:926291082449:stack/Splunk-BastionHost-1JDRJ8V6LBJVQ/189bfc50-5d79-11e5-bea4-50fa1dbb2c64

Can someone let me know how to troubleshoot this further? Thanks!

I tried to do a small deployment but was facing below issue. 100% repro.

17:39:55 UTC-0800 CREATE_FAILED AWS::CloudFormation::WaitCondition WaitCondition WaitCondition received failed message: 'Failed to install chef' for uniqueId: i-5a698c57

17:39:56 UTC-0800 CREATE_FAILED AWS::CloudFormation::Stack Splunk-SplunkCluster-178XH8XYUAIWW-SearchHead-1NGS2V2AKY9TW The following resource(s) failed to create: [WaitCondition].

Is this related to a recent bug fix?
"#install chef without docs\n",
"gem install ohai --version 6.16.0 --no-ri --no-rdoc || error_exit 'Failed to install ohai'\n",
"gem install chef --version 10.24.0 --no-ri --no-rdoc || error_exit 'Failed to install chef'\n"

Embedded stack arn:aws:cloudformation:us-east-1:975402726461:stack/SplunkTesting-SplunkCluster-1DNX0R34N3G89/cce69170-2fca-11e5-b106-500162a66cb4 was not successfully created: The following resource(s) failed to create: [MasterNodeInternalDNSRecord, SearchHeadDNSRecord, SearchHeadInternalDNSRecord, MasterNodeDNSRecord, PeerNodesDNSRecord].

I am using a subdomain like test.domain.com in route53. Any ideas on why i get this error.

Nice work. Here's a feature request to make this better still by supporting multiple availability zones.