
Source types for the Splunk Add-on for AWS
The Splunk Add-on for Amazon Web Services (AWS) provides the index-time and search-time knowledge for alerts, events, and performance metrics. Source types and event types map the Amazon Web Service data to the Splunk Common Information Model (CIM).
See Troubleshoot the Splunk Add-on for AWS to find source types for internal logs.
See the following table for source types and event types for AWS data mapping:
Pull-based API data collection sourcetypes
Data type | Source type | Description | Supported input types | Data models |
---|---|---|---|---|
Billing | aws:billing
|
aws:billing represents billing reports that you have configured in AWS.
|
Billing (Cost and Usage Report)
Billing (Legacy) |
|
CloudFront Access Logs | aws:cloudfront:accesslogs
|
Represents CloudFront Access Logs. | SQS-based S3
Generic S3 Incremental S3 |
|
CloudTrail | aws:cloudtrail
|
Represents AWS API call history from the AWS CloudTrail service. | SQS-based S3
CloudTrail Generic S3 Incremental S3 |
|
CloudWatch | aws:cloudwatch
|
Represents performance and billing metrics from the AWS CloudWatch service. | CloudWatch |
|
CloudWatch Logs | aws:cloudwatchlogs
|
aws:cloudwatchlogs represents generic data from the CloudWatch Logs service.
|
Kinesis
CloudWatch Logs |
|
Config | aws:config
|
aws:config represents real time and historical configuration snapshots.
|
SQS-based S3
AWS Config |
|
Config Rules | aws:config:rule
|
Represents compliance details, compliance summary, and evaluation status of your AWS Config Rules. | Config Rules |
|
Delimited Files | aws:s3:csv
|
Represents delimited files (CSV, PSV, TSV file extensions). Provides index-time timestamp for events. | SQS-based S3
Generic S3 |
|
ELB Access Logs | aws:elb:accesslogs
|
Represents ELB Access Logs. | SQS-based S3
Generic S3 Incremental S3 |
|
Inspector | aws:inspector
|
aws:inspector Represents assessments, runs, and findings data from the Amazon Inspector service.
|
Inspector
Inspector (v2) |
|
Metadata | aws:metadata
|
Descriptions of your AWS EC2 instances, reserved instances, and EBS snapshots. | Metadata |
|
S3 | aws:s3
|
Represents generic log data from your S3 buckets. | Generic S3
Incremental S3 SQS-based S3 |
|
S3 Access Logs | aws:s3:accesslogs
|
Represents S3 Access Logs. | SQS-based S3
Generic S3 Incremental S3 |
|
Amazon Security Lake | aws:asl | aws:asl represents AWS API dataset data collection from Amazon Security Lake.
|
SQS-based S3 |
|
SQS | aws:sqs
|
Represents generic data from SQS. | SQS |
|
VPC Flow Logs | aws:cloudwatchlogs:vpcflow
|
Represents VPC Flow Logs. | SQS-based S3
Kinesis
|
|
Push-based Amazon Kinesis Firehose data collection sourcetypes
The Splunk Add-on for Amazon Web Services provides knowledge management for the following Amazon Kinesis Firehose source types:
Data source | Source type | CIM compliance | Description |
---|---|---|---|
CloudTrail events | aws:cloudtrail
|
Change, Authentication | AWS API call history from the AWS CloudTrail service, delivered as CloudWatch events.
For CloudTrail events embedded within CloudWatch events, override the source name optional field |
CloudWatch events | aws:firehose:cloudwatchevents
|
None | Data from CloudWatch.
You can extract CloudTrail events embedded within CloudWatch events with this sourcetype as well. |
GuardDuty events | aws:cloudwatch:guardduty
|
Alerts, Intrusion Detection | GuardDuty events from CloudWatch.
For GuardDuty events embedded within CloudWatch events, override the source name optional field with |
Amazon Identity and Access Management (IAM) Access Analyzer events | aws:accessanalyzer:finding
|
None | Using Eventbridge event bus to ingest the events, set the source to aws_eventbridgeevents_iam_aa when configuring the HEC token.
|
Amazon Kinesis Firehose JSON data | aws:firehose:json
|
None | Any JSON formatted Firehose data. |
Amazon Kinesis Firehose text data | aws:firehose:text
|
None | Firehose raw text format. |
AWS Security Hub | aws:securityhub:finding
|
Alerts | Collect events from AWS Security Hub.
For AWS Security Hub events embedded within AWS CloudWatch events, override the source name optional field with |
VPC Flow Logs | aws:cloudwatchlogs:vpcflow
|
Network Traffic | VPC Flow Logs from CloudWatch.
When ingesting CloudWatch logs, set the Lambda buffering size to 1 MB. See data transformation flow in the Amazon Kinesis Firehose documentation for more information.
|
PREVIOUS Use cases for the Splunk Add-on for AWS |
NEXT Hardware and software requirements for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!