Splunk® Enterprise

Add AWS CloudTrail data with Kinesis Firehose: Splunk Cloud

Acrobat logo Download manual as PDF

Splunk Enterprise version 8.0 will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Additional resources

About Guided Data Onboarding for AWS

Using both Splunk Web and Splunk documentation, Guided Data Onboarding (GDO) provides end-to-end guidance for getting specific AWS and Kinesis Firehose data sources into specific Splunk platform deployments. If you have a Splunk deployment up and running and if you have an admin or equivalent role so that you can install add-ons, you can use these guides to get data from popular data sources into Splunk.

Where to find Guided Data Onboarding

From your home page in Splunk Web, you can find the data onboarding guides by clicking Add Data. Then, you can either search for a data source or explore different categories of data sources. Currently, the categories are Networking, Operating System, and Security.

After you select your data source, you must select a deployment scenario. Then, you can view diagrams and high-level steps to set up and to configure your data source.

Splunk Web links to documentation that explains how to set up and configure your data source in greater detail. You can find all the Guided Data Onboarding manuals by clicking the Add data tab on the Splunk Enterprise Documentation site.

Supported Deployment Scenarios

For each data source, Splunk currently supports Guided Data Onboarding for three deployment scenarios. See the following table for a description of each scenario:

Deployment scenario Description


A single Splunk Enterprise instance handles both indexing and search management. In this deployment scenario, you typically also install forwarders on your data-generating hosts to feed data from the hosts to your single instance.
Distributed deployment with

indexer clustering

In a distributed deployment, multiple Splunk Enterprise instances work together to support environments in which data originates on many machines, or in which many users need to search the data. Indexer clustering is a Splunk Enterprise feature by which an indexer cluster replicates data to achieve several goals. They include data availability, data fidelity, disaster tolerance, and improved search performance.
Splunk Cloud Splunk Cloud delivers the benefits of Splunk Enterprise as a cloud-based service.

If you need help determining your deployment, see the Inheriting a Splunk Enterprise Deployment manual.

Turn off Guided Data Onboarding

If you do not want the Guided Data Onboarding feature to appear in Splunk Web, go to your $SPLUNK_HOME/etc/apps/splunk_gdi/default/gdi_settings.conf file and set the allowWebService variable to false.

Further resources

Learn more about HEC

Learn more about security

Configure your indexer to use your certificates in Securing Splunk Enterprise.

Last modified on 31 July, 2019
Validate your data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters