Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure VPC Flow Logs inputs for the Splunk Add-on for AWS

Complete the steps to configure VPC Flow Log inputs for the Splunk Add-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
  2. See Configure Kinesis inputs for the Splunk Add-on for AWS if ingesting VPC flow logs via Kinesis Data Stream
  3. See Configure CloudWatch Log inputs for the Splunk Add-on for AWS if ingesting VPC flow logs via Cloudwatch logs
  4. See Configure SQS-based S3 inputs for the Splunk Add-on for AWS if ingesting VPC flow logs via SQS-based S3.

The Splunk Add-on for AWS supports VPC flow logs in the following log formats. Fields must be in one of the following orders to provide field extractions.

For more information on the list of v1-v5 fields to add in the given order when selecting Custom Format, or selecting Custom Format and Select All, see the Available fields section of the Logging IP traffic using VPC Flow Logs topic in the AWS documentation.

Logs will be indexed under the sourcetype: aws:cloudwatchlogs:vpcflow. For more information, see Source types for the Splunk Add-on for AWS.

Log format Ordered list of fields
Default version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status,
Custom version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status, vpc-id, subnet-id, instance-id, tcp-flags, type, pkt-srcaddr, pkt-dstaddr, region, az-id, sublocation-type, sublocation-id, pkt-src-aws-service, pkt-dst-aws-service, flow-direction, traffic-path
Select All account-id, action, az-id, bytes, dstaddr, dstport, end, flow-direction, instance-id, interface-id, log-status, packets, pkt-dst-aws-service, pkt-dstaddr, pkt-src-aws-service, pkt-srcaddr, protocol, region, srcaddr, srcport, start, sublocation-id, sublocation-type, subnet-id, tcp-flags, traffic-path, type, version, vpc-id

Update log formatting in AWS VPC

To update the log format in your AWS VPC to ensure successful field extractions, perform the following steps:

  1. Navigate to the AWS VPC dashboard and select Virtual private cloud > Your VPCs.
  2. Add Name, choose Filter, Minimum aggregation interval, Destination and corresponding fields.
  3. For Log record format, select one of the following options:
    • Select Default (Not supported in versions 6.3.0. Supported in versions 6.3.1 and later).
    • Select Custom, and add fields in the order provided in the field table previously listed in this topic.
    • Select Select All.
  4. Delete the previous VPC flow log with the old log formatting.

For more information on updating the log format in AWS VPC, see the Create a flow log section of the Work with flow logs topic in the AWS documentation.

Last modified on 22 February, 2024
PREVIOUS
Configure Inspector v2 inputs for the Splunk Add-on for AWS
  NEXT
Configure Security Lake inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters