Configure inputs for the Splunk Add-on for AWS
Configure CloudWatch Log inputs to collect VPC Flow Log data (source type: aws:cloudwatchlogs:vpcflow) from the CloudWatch Logs service.
Configure a VPC Flow Log input on the data collection node using one of the following ways:
- Configure a CloudWatch Logs input using Splunk Web (recommended).
- Configure a CloudWatch Logs input using a configuration file.
Input configuration overview
You can use the Splunk Add-on for AWS to collect data from AWS. For each supported data type, one or more input types are provided for data collection.
Follow these steps to plan and perform your AWS input configuration:
Users adding new inputs must have the admin_all_objects role enabled.
- Click input type to go to the input configuration details.
- Follow the steps described in the input configuration details to complete the configuration.
Configure a CloudWatch Logs input using Splunk Web
To configure inputs using Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then choose one of the following menu paths depending on the data type you want to collect:
- Create New Input > VPC Flow Logs > CloudWatch Logs.
- Create New Input > Others > CloudWatch Logs.
| Argument in configuration file | Field in Splunk Web | Description |
|---|---|---|
account
|
AWS Account | The AWS account or EC2 IAM role the Splunk platform uses to access your CloudWatch Logs data. In Splunk Web, select an account from the drop-down list. In aws_cloudwatch_logs_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the autodiscovered EC2 IAM role.
|
region
|
AWS Region | The AWS region that contains the data. In aws_cloudwatch_logs_tasks.conf, enter the region ID.
|
groups
|
Log group | A comma-separated list of log group names. Note: Wildcard is not supported for configuring log group names in the current release. |
only_after
|
Only After | GMT time string in '%Y-%m-%dT%H:%M:%S' format. If set, only events after this time are queried and indexed. Defaults to 1970-01-01T00:00:00. |
stream_matcher
|
Stream Matching Regex | REGEX to strictly match stream names. Defaults to .*
|
interval
|
Interval | The number of seconds to wait before the Splunk platform runs the command again. Default is 600 seconds. |
sourcetype
|
Source type | A source type for the events. Enter aws:cloudwatchlogs:vpcflow if you are indexing VPC Flow Log data. Enter aws:cloudwatchlogs if you are collecting any other CloudWatch Logs data.
|
index
|
Index | The index name where the Splunk platform puts the CloudWatch Logs data. The default is main. |
Configure a CloudWatch Logs input using a configuration file
To configure the input using configuration file, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_cloudwatch_logs_tasks.conf using the following template.
[<name>] account = <value> groups = <value> index = <value> interval = <value> only_after = <value> region = <value> sourcetype = <value> stream_matcher = <value>
Here is an example stanza that collects VPC Flow Log data from two log groups.
[splunkapp2:us-west-2] account = splunkapp2 groups = SomeName/DefaultLogGroup, SomeOtherName/SomeOtherLogGroup index = default interval = 600 only_after = 1970-01-01T00:00:00 region = us-west-2 sourcetype = aws:cloudwatchlogs:vpcflow stream_matcher = eni.*
| Configure data collection on your Splunk Enterprise instance | Validate your data |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Download manual
Feedback submitted, thanks!