Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Configure SQS inputs for the Splunk Add-on for AWS

Complete the steps to configure SQS inputs for the Splunk Add-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
  2. Configure AWS services for the SQS input.
  3. Configure AWS permissions for the SQS input. You can skip this step and configure AWS permissions at once, if you prefer. See Configure AWS permissions for all Splunk Add-on for AWS inputs at once.
  4. Configure SQS inputs either through Splunk Web or configuration files.

Configure AWS services for the SQS input

If you plan to use the SQS-based S3 input, you must perform the following:

Configure AWS permissions for the SQS input

Required permissions for Amazon SQS:

  • GetQueueAttributes
  • ListQueues
  • ReceiveMessage
  • GetQueueUrl
  • SendMessage
  • DeleteMessage.

See the following sample inline policy to configure SQS input permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "sqs:GetQueueUrl",
        "sqs:SendMessage",
        "sqs:DeleteMessage"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Configure an SQS input using Splunk Web

To configure inputs using Splunk Web:

  1. Click Splunk Add-on for AWS in the navigation bar on Splunk Web home.
  2. Click Create New Input > Custom Data Type > SQS.
  3. Use the following table to complete the fields for the new input in the .conf file or in Splunk Web:
Argument in configuration file Field in Splunk Web Description
aws_account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your SQS data. In Splunk Web, select an account from the drop-down list. In aws_sqs_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the automatically discovered EC2 IAM role.
aws_region AWS Region The AWS region that contains the log notification SQS queue. In aws_sqs_tasks.conf, enter the region code. For example, the region code for the US East region is us-east-2. See https://docs.aws.amazon.com/general/latest/gr/rande.html#d0e371.
sqs_queues SQS queues The name of the queue to which AWS sends new SQS log notifications. In Splunk Web, you can select a queue from the drop-down list, if your account permissions allow you to list queues, or enter the queue name manually. The queue name is the final segment of the full queue URL. For example, if your SQS queue URL is http://sqs.us-east-1.amazonaws.com/123456789012/testQueue, then your SQS queue name is testQueue.
You can add multiple queues separated by commas.
sourcetype Source type A source type for the events. Enter a value only if you want to override the default of aws:sqs. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
index Index The index name where the Splunk platform puts the SQS data. The default is main.
interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 30 seconds.

Configure an SQS input using configuration files

To configure the input using configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_sqs_tasks.conf using the following template:

[<name>]
aws_account = <value>
aws_region = <value>
sqs_queues = <value>
index = <value>
sourcetype = <value>
interval = <value>
Last modified on 28 August, 2020
PREVIOUS
Configure Generic S3 inputs for the Splunk Add-on for AWS
  NEXT
Configure SQS-based S3 inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters