Release notes for the Splunk Add-on for AWS
Version 5.1.0 of the Splunk Add-on for Amazon Web Services was released on July 2, 2021.
Version 5.1.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:
|Splunk platform versions||8.0 and later|
|CIM||4.18 and later|
|Supported OS for data collection||Platform independent|
|Vendor products||Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, Inspector, Kinesis, S3, VPC Flow Logs, Billing services, Metadata, SQS, and SNS.|
Versions 5.0.0 and above of the Splunk Add-on for AWS are Python 3 releases, and only compatible with Splunk platform versions 8.0.0 and later. To use version 5.0.0 or later of this add-on, upgrade your Splunk platform deployment to version 8.0.0 or later. For users of Splunk platforms 6.x.x and Splunk 7.x.x, the Splunk Add-on for Amazon Web Services version 4.6.1 is supported. Do not upgrade to Splunk Add-on for AWS 5.0.0 or above on these versions of the Splunk platform.
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
Version 5.1.0 of the Splunk Add-on for AWS version contains the following new and changed features:
- A new data input called Metadata. The Metadata input , which can be accessed in Splunk Web by clicking Create New Input > Description > Metadata, uses the boto3 package to collect Description data. See the Metadata input topic in this manual for more information.
- Migrated the following data inputs from the boto2 package to the boto3 package:
- Cloudwatch logs.
- Generic S3
- Support for Regional endpoints for all data inputs. Each API call can be made to a region-specific endpoint, instead than a public endpoint.
- Support for private endpoints for the following data inputs:
- Billing Cost and Usage Reports (CUR)
- Cloudwatch Logs
- Generic S3
- Incremental S3
- SQS-based S3
- Support for disabling the DLQ (Dead Letter Queue) check for SQS-based S3 Crowdstrike event inputs.
The Description input will be deprecated in a future release. The Metadata input has been added as a replacement. The best practice is to begin moving your workloads to the Metadata input.
Version 5.1.0 of the Splunk Add-on for Amazon Web Services fixes the following, if any, issues.
|Date resolved||Issue number||Description|
|2021-07-30||ADDON-38682||Generic S3 - AttributeError: 'S3KeyReader' object has no attribute 'seekable'|
|2021-07-05||ADDON-37996||AWS add-on | To confirm if Osaka region on AWS is supported by AWS add-on|
|2021-06-10||ADDON-37528||modular input does not skip over old "GLACIER" folders and keep trying|
|2021-05-04||ADDON-34844||AWS sns Alert fails to be sent, only during first occurrence, it works from second trigger onwards|
|2021-03-15||ADDON-32067||AWS 4.6.1 will not load input/config page|
|2021-03-08||ADDON-33998||Splunk Add-on for Amazon Web Services 5.0.3 - issues with non default management port|
|2021-02-11||ADDON-30834||AWS-TA Kinesis Stream Inputs time is wrong|
|2021-02-11||ADDON-33377||Description Mod input not appending results correctly|
|2021-02-07||ADDON-29812||AWS security-group-rule description is missing in AWS TA|
|2021-01-12||ADDON-29815||Wrong start time to S3 input is mistakenly accepted by TA-AWS|
|2020-12-29||ADDON-22096||AWS Add-on is reporting NULL for NACL data|
Version 5.1.0 of the Splunk Add-on for Amazon Web Services has the following, if any, known issues.
|Date filed||Issue number||Description|
|2021-07-01||ADDON-38997||<revenue-nsw> custom sourcetype/props is not getting honored and causing the line breaking issue|
|2021-06-13||ADDON-38108||v5.0.3 - The provided token has expired|
|2021-06-09||ADDON-37958||The impact of the format change of unstractured field in data events|
|2021-06-09||ADDON-37970||inputs.conf config generate from code for cloudwatch is not grouped together|
|2021-05-20||ADDON-37297||Splunk Add-on for AWS fails with TypeError: cannot unpack non-iterable NoneType object|
|2021-05-19||ADDON-37230||Not ingesting logs on Cloudwatch using AWS add-on:5.0.3|
|2021-04-22||ADDON-36123||When a role is assumed and a user performs any activity, Splunk extracts the role name as the "username"|
We can easily fix this by using a regex based extraction for userName and user - field=userIdentity.arn ".*\:(?<user_action_type>.*)\/(?<user_role>.*)\/(?<user>.*)"
|2021-03-23||ADDON-35020||v5.0.3 fields not extracting correctly|
Third-party software attributions
Version 5.1.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.
Saved searches for the Splunk Add-on for AWS
Release history for the Splunk Add-on for AWS
This documentation applies to the following versions of Splunk® Supported Add-ons: released