Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use cases for the Splunk Add-on for AWS

Use the Splunk Add-on for AWS to collect data on Amazon Web Services. The Splunk Add-on for AWS offers pretested add-on inputs for four main use cases, but you can create an input manually for a miscellaneous Amazon Web Service. See Configure miscellaneous inputs for the Splunk Add-on for AWS.

See the following table for use cases and corresponding add-on collection methods:

Use case Add-on inputs
Use the Splunk Add-on for AWS to calculate the cost of your Amazon Web Service usage over different lengths of time.
  • Billing (Cost and Usage report)
  • Billing (Legacy)
Use the Splunk Add-on for AWS to push CloudTrail log data to the Splunk platform. CloudTrail allows you to audit your AWS account.
  • CloudTrail
  • Kinesis data
  • S3 Access Logs
Use the Splunk Add-on for AWS to push IT and performance data on your Amazon Web Service into the Splunk platform.
  • Amazon CloudWatch data
  • CloudFront Access Logs
  • ELB Access Logs
  • Config and Config Rules data
  • Description data
  • Kinesis data
  • S3 Access Logs
  • SQS-based Access Logs
  • VPC flow log data
Use the Splunk Add-on for AWS to push security data on your Amazon Web Service into the Splunk platform.
  • Inspector data
  • Inspector (v2) data
  • Config and Config Rules data
  • Description data
  • Kinesis data
  • S3 Access Logs
  • SQS-based Access Logs
  • VPC flow log data

Consider push-based versus pull-based data collection for the Splunk Add-on for AWS

The Splunk Add-on for Amazon Web Services supports both push-based and pull-based data collection for the following vendor products: Amazon Kinesis Firehose data, CloudWatch, VPC Flow Logs, AWS CloudTrail, GuardDuty, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Security Hub findings events.

See the following table to understand the data collection differences:

Push Data Pull Data
For high volume, streaming data. For low volume, rarely changing data.
If high availability and scale are required for your deployment. For normal availability and scale.
Sends data directly to indexers so you do not need to manage forwarders. Unless your deployment is in Splunk Cloud, you must manage the forwarders.
Last modified on 03 April, 2024
PREVIOUS
Introduction to the Splunk Add-on for Amazon Web Services 		  NEXT
Source types for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters