Related Answers
Download topic as PDF
Lookups for the Splunk Add-on for AWS
Lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/lookups on *nix systems and %SPLUNK_HOME%\etc\apps\Splunk_TA_aws\lookups on Windows systems. Lookup files map fields from Amazon Web Services (AWS) to CIM-compliant values in the Splunk platform. The Splunk Add-on for AWS has the following lookups:
| File name | Purpose | |
|---|---|---|
| aws_config_action_lookup.csv | Maps the status field to a CIM-compliant value for the action field.
| |
| aws_config_object_category_lookup.csv | Sorts the various AWS Config object categories into CIM-compliant values for the object_category field.
| |
| aws-cloudtrail-action-status.csv | Maps the eventName and errorCode fields to CIM-compliant values for action and status.
| |
| aws-cloudtrail-changetype.csv | Maps the eventSource to a CIM-compliant value for the change_type field.
| |
| aws-health-error-type.csv | Maps ErrorCode to ErrorDetail, ErrorCode, ErrorDetail.
|
|
| aws-log-sourcetype-modinput.csv | Maps sourcetype to modinput.
|
|
| cloudfront_edge_location_lookup | Maps the x_edge_location value to a human-readable edge_location_name.
| |
| vendor-product-aws-cloudtrail.csv | Defines CIM-compliant values for the vendor, product, and appfields based on the source type.
| |
| vpcflow_action_lookup.csv | Maps the numerical protocol code to a CIM-compliant protocol field and a human-readable field protocol_full_name.
| |
| vpcflow_protocol_code_lookup.csv | Maps the vpcflow_action field to a CIM-compliant action field.
| |
| VmSizeToResources.csv | Maps the instance_type field to CIM-compliant cpu_cores, mem_capacity fields.
|
Last modified on 27 February, 2023
|
PREVIOUS API reference for the Splunk Add-on for AWS |
NEXT Saved searches for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!