Related Answers
Download topic as PDF
Release notes for the Splunk Add-on for AWS
Version 5.1.0 of the Splunk Add-on for Amazon Web Services was released on July 2, 2021.
Compatibility
Version 5.1.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:
| Splunk platform versions | 8.0 and later |
| CIM | 4.18 and later |
| Supported OS for data collection | Platform independent |
| Vendor products | Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, Inspector, Kinesis, S3, VPC Flow Logs, Billing services, Metadata, SQS, and SNS. |
Versions 5.0.0 and above of the Splunk Add-on for AWS are Python 3 releases, and only compatible with Splunk platform versions 8.0.0 and later. To use version 5.0.0 or later of this add-on, upgrade your Splunk platform deployment to version 8.0.0 or later. For users of Splunk platforms 6.x.x and Splunk 7.x.x, the Splunk Add-on for Amazon Web Services version 4.6.1 is supported. Do not upgrade to Splunk Add-on for AWS 5.0.0 or above on these versions of the Splunk platform.
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 5.1.0 of the Splunk Add-on for AWS version contains the following new and changed features:
- A new data input called Metadata. The Metadata input , which can be accessed in Splunk Web by clicking Create New Input > Description > Metadata, uses the boto3 package to collect Description data. See the Metadata input topic in this manual for more information.
- Migrated the following data inputs from the boto2 package to the boto3 package:
- Cloudtrail
- Config
- Cloudwatch logs.
- Generic S3
- Support for Regional endpoints for all data inputs. Each API call can be made to a region-specific endpoint, instead than a public endpoint.
- Support for private endpoints for the following data inputs:
- Billing Cost and Usage Reports (CUR)
- Cloudtrail
- Cloudwatch
- Cloudwatch Logs
- Generic S3
- Incremental S3
- Kinesis
- SQS-based S3
- Support for disabling the DLQ (Dead Letter Queue) check for SQS-based S3 Crowdstrike event inputs.
The Description input will be deprecated in a future release. The Metadata input has been added as a replacement. The best practice is to begin moving your workloads to the Metadata input.
Fixed issues
Version 5.1.0 of the Splunk Add-on for Amazon Web Services fixes the following, if any, issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2021-07-30 | ADDON-38682 | Generic S3 - AttributeError: 'S3KeyReader' object has no attribute 'seekable' |
| 2021-07-05 | ADDON-37996 | AWS add-on | To confirm if Osaka region on AWS is supported by AWS add-on |
| 2021-06-10 | ADDON-37528 | modular input does not skip over old "GLACIER" folders and keep trying |
| 2021-05-04 | ADDON-34844 | AWS sns Alert fails to be sent, only during first occurrence, it works from second trigger onwards |
| 2021-03-15 | ADDON-32067 | AWS 4.6.1 will not load input/config page |
| 2021-03-08 | ADDON-33998 | Splunk Add-on for Amazon Web Services 5.0.3 - issues with non default management port |
| 2021-02-11 | ADDON-30834 | AWS-TA Kinesis Stream Inputs time is wrong |
| 2021-02-11 | ADDON-33377 | Description Mod input not appending results correctly |
| 2021-02-07 | ADDON-29812 | AWS security-group-rule description is missing in AWS TA |
| 2021-01-12 | ADDON-29815 | Wrong start time to S3 input is mistakenly accepted by TA-AWS |
| 2020-12-29 | ADDON-22096 | AWS Add-on is reporting NULL for NACL data |
Known issues
Version 5.1.0 of the Splunk Add-on for Amazon Web Services has the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2021-07-01 | ADDON-38997 | <revenue-nsw> custom sourcetype/props is not getting honored and causing the line breaking issue |
| 2021-06-13 | ADDON-38108 | v5.0.3 - The provided token has expired |
| 2021-06-09 | ADDON-37958 | The impact of the format change of unstractured field in data events |
| 2021-06-09 | ADDON-37970 | inputs.conf config generate from code for cloudwatch is not grouped together |
| 2021-05-20 | ADDON-37297 | Splunk Add-on for AWS fails with TypeError: cannot unpack non-iterable NoneType object |
| 2021-05-19 | ADDON-37230 | Not ingesting logs on Cloudwatch using AWS add-on:5.0.3 |
| 2021-04-22 | ADDON-36123 | When a role is assumed and a user performs any activity, Splunk extracts the role name as the "username" Workaround: We can easily fix this by using a regex based extraction for userName and user - field=userIdentity.arn ".*\:(?<user_action_type>.*)\/(?<user_role>.*)\/(?<user>.*)" |
| 2021-03-23 | ADDON-35020 | v5.0.3 fields not extracting correctly |
Third-party software attributions
Version 5.1.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.
|
PREVIOUS Saved searches for the Splunk Add-on for AWS |
NEXT Release history for the Splunk Add-on for AWS |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!