Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for AWS

Version 5.1.0 of the Splunk Add-on for Amazon Web Services was released on July 2, 2021.


Version 5.1.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0 and later
CIM 4.18 and later
Supported OS for data collection Platform independent
Vendor products Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, Inspector, Kinesis, S3, VPC Flow Logs, Billing services, Metadata, SQS, and SNS.

Versions 5.0.0 and above of the Splunk Add-on for AWS are Python 3 releases, and only compatible with Splunk platform versions 8.0.0 and later. To use version 5.0.0 or later of this add-on, upgrade your Splunk platform deployment to version 8.0.0 or later. For users of Splunk platforms 6.x.x and Splunk 7.x.x, the Splunk Add-on for Amazon Web Services version 4.6.1 is supported. Do not upgrade to Splunk Add-on for AWS 5.0.0 or above on these versions of the Splunk platform.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 5.1.0 of the Splunk Add-on for AWS version contains the following new and changed features:

  • A new data input called Metadata. The Metadata input , which can be accessed in Splunk Web by clicking Create New Input > Description > Metadata, uses the boto3 package to collect Description data. See the Metadata input topic in this manual for more information.
  • Migrated the following data inputs from the boto2 package to the boto3 package:
    • Cloudtrail
    • Config
    • Cloudwatch logs.
    • Generic S3
  • Support for Regional endpoints for all data inputs. Each API call can be made to a region-specific endpoint, instead than a public endpoint.
  • Support for private endpoints for the following data inputs:
    • Billing Cost and Usage Reports (CUR)
    • Cloudtrail
    • Cloudwatch
    • Cloudwatch Logs
    • Generic S3
    • Incremental S3
    • Kinesis
    • SQS-based S3
    Private endpoints can perform account authentication and data collection for each supported input. For example, a Splunk instance within a Virtual Private Cloud (VPC) infrastructure.
  • Support for disabling the DLQ (Dead Letter Queue) check for SQS-based S3 Crowdstrike event inputs.

The Description input will be deprecated in a future release. The Metadata input has been added as a replacement. The best practice is to begin moving your workloads to the Metadata input.

Fixed issues

Version 5.1.0 of the Splunk Add-on for Amazon Web Services fixes the following, if any, issues.

Date resolved Issue number Description
2021-07-30 ADDON-38682 Generic S3 - AttributeError: 'S3KeyReader' object has no attribute 'seekable'
2021-07-05 ADDON-37996 AWS add-on | To confirm if Osaka region on AWS is supported by AWS add-on
2021-06-10 ADDON-37528 modular input does not skip over old "GLACIER" folders and keep trying
2021-05-04 ADDON-34844 AWS sns Alert fails to be sent, only during first occurrence, it works from second trigger onwards
2021-03-15 ADDON-32067 AWS 4.6.1 will not load input/config page
2021-03-08 ADDON-33998 Splunk Add-on for Amazon Web Services 5.0.3 - issues with non default management port
2021-02-11 ADDON-30834 AWS-TA Kinesis Stream Inputs time is wrong
2021-02-11 ADDON-33377 Description Mod input not appending results correctly
2021-02-07 ADDON-29812 AWS security-group-rule description is missing in AWS TA
2021-01-12 ADDON-29815 Wrong start time to S3 input is mistakenly accepted by TA-AWS
2020-12-29 ADDON-22096 AWS Add-on is reporting NULL for NACL data

Known issues

Version 5.1.0 of the Splunk Add-on for Amazon Web Services has the following, if any, known issues.

Date filed Issue number Description
2021-07-01 ADDON-38997 <revenue-nsw> custom sourcetype/props is not getting honored and causing the line breaking issue
2021-06-13 ADDON-38108 v5.0.3 - The provided token has expired
2021-06-09 ADDON-37958 The impact of the format change of unstractured field in data events
2021-06-09 ADDON-37970 inputs.conf config generate from code for cloudwatch is not grouped together
2021-05-20 ADDON-37297 Splunk Add-on for AWS fails with TypeError: cannot unpack non-iterable NoneType object
2021-05-19 ADDON-37230 Not ingesting logs on Cloudwatch using AWS add-on:5.0.3
2021-04-22 ADDON-36123 When a role is assumed and a user performs any activity, Splunk extracts the role name as the "username"

We can easily fix this by using a regex based extraction for userName and user - field=userIdentity.arn ".*\:(?<user_action_type>.*)\/(?<user_role>.*)\/(?<user>.*)"
2021-03-23 ADDON-35020 v5.0.3 fields not extracting correctly

Third-party software attributions

Version 5.1.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.

Last modified on 10 August, 2021
Saved searches for the Splunk Add-on for AWS
Release history for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters