Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Source types for the Splunk Add-on for AWS

The Splunk Add-on for Amazon Web Services (AWS) provides the index-time and search-time knowledge for alerts, events, and performance metrics. Source types and event types map the Amazon Web Service data to the Splunk Common Information Model (CIM).

See Troubleshoot the Splunk Add-on for AWS to find source types for internal logs.

See the following table for source types and event types for AWS data mapping:

Pull-based API data collection sourcetypes

Data type Source type Description Supported input types Data models
Billing aws:billing

aws:billing:cur

aws:billing represents billing reports that you have configured in AWS.

aws:billing:cur represents cost and usage reports.

Billing (Cost and Usage Report)

Billing (Legacy)

  • CIM: None
  • ES Custom: None
  • ITSI: None
CloudFront Access Logs aws:cloudfront:accesslogs Represents CloudFront Access Logs. SQS-based S3

Generic S3 Incremental S3

  • CIM: None
  • ES Custom: None
  • ITSI: None
CloudTrail aws:cloudtrail Represents AWS API call history from the AWS CloudTrail service. SQS-based S3

CloudTrail Generic S3 Incremental S3

CloudWatch aws:cloudwatch Represents performance and billing metrics from the AWS CloudWatch service. CloudWatch
CloudWatch Logs aws:cloudwatchlogs

aws:cloudwatchlogs:vpcflow

aws:cloudwatchlogs represents generic data from the CloudWatch Logs service.

aws:cloudwatchlogs:vpcflow represents VPC flow logs from the CloudWatch Logs service.

Kinesis

CloudWatch Logs

  • CIM: Network Traffic, but only for aws:cloudwatchlogs:vpcflow
  • ES Custom: None
  • ITSI: None
Config aws:config

aws:config:notification

aws:config represents real time and historical configuration snapshots.

aws:config:notification represents configuration change notifications.

SQS-based S3

AWS Config

Config Rules aws:config:rule Represents compliance details, compliance summary, and evaluation status of your AWS Config Rules. Config Rules
Delimited Files aws:s3:csv Represents delimited files (CSV, PSV, TSV file extensions). Provides index-time timestamp for events. SQS-based S3

Generic S3

  • CIM: None
  • ES Custom: None
  • ITSI: None
ELB Access Logs aws:elb:accesslogs Represents ELB Access Logs. SQS-based S3

Generic S3 Incremental S3

  • CIM: None
  • ES Custom: None
  • ITSI: None
Inspector aws:inspector

aws:inspector:v2:findings

aws:inspectorRepresents assessments, runs, and findings data from the Amazon Inspector service.

aws:inspector:v2:findingsRepresents findings data from the Amazon Inspector service.

Inspector

Inspector (v2)

Metadata aws:metadata Descriptions of your AWS EC2 instances, reserved instances, and EBS snapshots. Metadata
S3 aws:s3 Represents generic log data from your S3 buckets. Generic S3

Incremental S3 SQS-based S3

  • CIM: None
  • ES Custom: None
  • ITSI: None
S3 Access Logs aws:s3:accesslogs Represents S3 Access Logs. SQS-based S3

Generic S3 Incremental S3

  • CIM: Web
  • ES Custom: None
  • ITSI: None
Amazon Security Lake aws:asl aws:asl represents AWS API dataset data collection from Amazon Security Lake. SQS-based S3
  • CIM: None
  • ES Custom: None
  • ITSI: None
SQS aws:sqs Represents generic data from SQS. SQS
  • CIM: None
  • ES Custom: None
  • ITSI: None
VPC Flow Logs aws:cloudwatchlogs:vpcflow Represents VPC Flow Logs. SQS-based S3

Kinesis
Cloudwatch Logs

GuardDuty Events aws:cloudwatchlogs:guardduty Represents GuardDuty Events. Cloudwatch Logs
  • CIM: Alerts
  • ES Custom: None
  • ITSI: None

Push-based Amazon Kinesis Firehose data collection sourcetypes

The Splunk Add-on for Amazon Web Services provides knowledge management for the following Amazon Kinesis Firehose source types:

Data source Source type CIM compliance Description
CloudTrail events aws:cloudtrail Change, Authentication AWS API call history from the AWS CloudTrail service, delivered as CloudWatch events.

For CloudTrail events embedded within CloudWatch events, remove the Source name override field aws_firehose_cloudtrail in the HTTP Event Collector (HEC) token for index-time field extractions.
Change data model includes the Network dataset for some fields.

CloudWatch events aws:firehose:cloudwatchevents None Data from CloudWatch.

You can extract CloudTrail events embedded within CloudWatch events with this sourcetype as well.

GuardDuty events aws:cloudwatch:guardduty Alerts, Intrusion Detection GuardDuty events from CloudWatch.

For GuardDuty events embedded within CloudWatch events, override the source name optional field with aws_cloudwatchevents_guardduty in the HEC token for index-time field extractions.

Amazon Identity and Access Management (IAM) Access Analyzer events aws:accessanalyzer:finding None Using Eventbridge event bus to ingest the events, set the source to aws_eventbridgeevents_iam_aa when configuring the HEC token.
Amazon Kinesis Firehose JSON data aws:firehose:json None Any JSON formatted Firehose data.
Amazon Kinesis Firehose text data aws:firehose:text None Firehose raw text format.
AWS Security Hub aws:securityhub:finding Alerts Collect events from AWS Security Hub.

For AWS Security Hub events embedded within AWS CloudWatch events, override the source name optional field with aws_cloudwatchevents_securityhub in the HEC token for index-time field extractions.

VPC Flow Logs aws:cloudwatchlogs:vpcflow Network Traffic VPC Flow Logs from CloudWatch.

When ingesting CloudWatch logs, set the Lambda buffering size to 1 MB. See data transformation flow in the Amazon Kinesis Firehose documentation for more information.
See the example Kinesis Firehose lambda function to remove the JSON wrapper around VPC Flow Logs before it reaches Splunk: https://github.com/ranjitkk/ranjit_aws_repo_public/blob/main/Splunk_FlowLogs_Firehose_processor.py.

Last modified on 02 December, 2023
PREVIOUS
Use cases for the Splunk Add-on for AWS 		  NEXT
Hardware and software requirements for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters