Deploy your own Splunk cluster on AWS in minutes!

Given Splunk Enterprise is a flexible operational intelligence platform, our users adopt it in various forms: from using it as a cloud service with Splunk Cloud, to deploying it on-premise in their own datacenter, or in their own cloud environment such as AWS.

Since Splunk is about turning machine data into valuable insights in as little time as possible, we always strive for that speed element in all aspects of our product usage:


“80% of my time used to be spent on setting up Splunk, now I spend 80% of my time getting value out of Splunk”

Abdallah Mohammed,
Data Architect, Intuit CTO Dev

In that same spirit, we’re delighted to announce the release of Splunk AWS CloudFormation templates as a friction-free self-service tool for fast Splunk deployment in the cloud.

Conventionally, deploying a self-managed distributed Splunk cluster requires advanced Splunk administration & deployment knowledge in addition to DevOps resources. With Splunk AWS CloudFormation, any Splunk user can now deploy a pre-configured Splunk distributed cluster in their own AWS environment in matter of minutes, not hours or more. More specifically, in less that 30 minutes, any individual or company with an AWS account can create a complete infrastructure equivalent to the one shown in the diagram below which depicts a dedicated virtual private cloud with a Splunk cluster:

Splunk Cluster AWS Architecture


What can Splunk AWS CloudFormation do for you?

  • Accelerates test drive & deployment time down to minutes
  • Incorporates Splunk best practices for operations and administration
  • Abstracts away low-level details of configuring distributed Splunk
  • Extensible and customizable templates to fit custom needs

Abdallah Mohammed, a Data Architect at Intuit, leverages Splunk AWS CloudFormation for internal Splunk deployments within the CTO Dev organization which drives Intuit’s technology principals and shared assets across Business Units including Small Business Group and Consumer Tax Group. “80% of my time used to be spent on setting up Splunk,” said Mohammed, “now I spend 80% of my time getting value out of Splunk by building data models, searches & dashboards. What used to take days to get all configured, now I can do in few minutes with Splunk [AWS] CloudFormation”.


How to get started with Splunk AWS CloudFormation?

Splunk CloudFormation templates can be found on GitHub.

To get up and running with your own Splunk cluster, follow the simple step-by-step guide using an existing AWS account. Here are the main templates (Click on template link to launch it directly in AWS CloudFormation):

  1. vpc_master: creates your own secure virtual private cloud (VPC) including subnets and required resources.
  2. splunk_cluster: provisions Splunk cluster in previously created VPC, including cluster master, search head and N indexer peers.

You can use either a simple push-button form (shown below) through AWS CloudFormation console, or the command line via AWS CLI if that’s your preference. Either way, you can change a few parameters to customize your deployment, in particular :

  • Choose your own Splunk deployment size between small, medium, large (3, 5, 9 indexers respectively)
  • Choose your own EC2 instance type for proper sizing of Splunk servers
  • Specify a custom IP address range that is allowed to forward data to this cluster
  • Specify a custom IP address range that is allowed to SSH to the bastion host


create form for Splunk cluster

What’s next?

Splunk AWS CloudFormation templates are provided by Splunkers for Splunkers. It is not a supported product or service, rather an open source technical enablement piece. So we encourage you to extend these templates any way you see fit, and leave us a note below on how you’re using them. There’s an increasing list of requested features…What feature would you like to see?

Roy Arsan

Posted by


Show All Tags
Show Less Tags