Splunk® Enterprise

Add AWS CloudTrail data with Kinesis Firehose: Splunk Cloud

Acrobat logo Download manual as PDF

Splunk Enterprise version 8.0 will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure Amazon Kinesis Firehose to send data to the Splunk platform

Go to the AWS Management Console to configure Amazon Kinesis Firehose to send data to the Splunk platform. See Choose Splunk for Your Destination in the AWS documentation for step-by-step instructions. Repeat this process for each token that you configured in the HTTP event collector, or that Splunk Support configured for you.

When prompted during the configuration, enter the following information:

Field in Amazon Kinesis Firehose configuration page Value
Destination Select Splunk.
Splunk cluster endpoint Enter your ELB URL in this format: https://http-inputs-firehose-<your unique cloud hostname here>.splunkcloud.com:443.
For example, if your Splunk Cloud URL is https://mydeployment.splunkcloud.com, enter https://http-inputs-firehose-mydeployment.splunkcloud.com:443.
Splunk endpoint type Select raw unless you are using an AWS Lambda function to format your events for the HTTP event collector event endpoint, in which case you should choose event.
Authentication token Enter the HEC token that you configured or received from Splunk Support.
S3 backup mode As a best practice, backup all events to S3 until you have validated that events are fully processed by the Splunk platform and available in Splunk searches. You can adjust this setting after you have verified that your data is searchable in the Splunk platform.

After you configure Amazon Kinesis Firehose to send data to the Splunk platform, go to the Splunk search page and search for the source types of the data you are collecting. Make sure that your data is searchable in the Splunk platform before you adjust the S3 backup mode setting in the AWS Management Console.

Last modified on 12 June, 2019
Install the Splunk Add-on for AWS in a Splunk Cloud deployment
Validate your data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters