API reference for the Splunk Add-on for AWS¶
See the following sections for API reference information for the Splunk Add-on for AWS.
AWS account¶
Manage or configure AWS accounts in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/<account_name>
GET, POST, or DELETE
API for AWS Account settings.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Name | Required | Type | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for AWS account | 
| key_id | 1 | - | AWS account key id | 
| secret_key | 1 | - | AWS account secret key | 
| category | 1 | 1 | AWS account region category. Specify either 1, 2, or 4 (1 = Global, 2 = US Gov, 4 = China) | 
Examples
| GET | List of all accounts | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account | 
| List specified account | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account | |
| POST | Create account | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account-d name=test_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 | 
| Edit account | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account-d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 | |
| DELETE | Delete account | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account | 
AWS Private Account¶
Manage or configure AWS private accounts in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/<private_account_name>
GET, POST, or DELETE
API for AWS Private Account settings.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Name | Required | Default | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for AWS private account | 
| key_id | 1 | - | AWS private account key id | 
| secret_key | 1 | - | AWS private account secret key | 
| category | 1 | - | AWS private account region category. Specify either 1, 2, or 4 (1 = Global, 2 = US Gov, 4 = China) | 
| sts_region | 1 if using private endpoint | - | AWS region to be used for api calls of STS service | 
| private_endpoint_enabled | 0 | - | Whether to use user provided AWS private endpoints for making api calls to AWS services. Specify either 0 or 1 | 
| sts_private_endpoint_url | 1 if using private endpoint | - | Required if private_endpoint_enabled=1. AWS Private endpoint URL | 
Examples
| GET | List of all accounts | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account | 
| List specified account | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account | |
| POST | Create account | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account-d name=test_private_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 -d sts_region=ap-south-1 -d private_endpoint_enabled=1 -d sts_private_endpoint_url=<encode from actual value → https://vpce-endpoint_id-unique_id.sts.region.vpce.amazonaws.com> | 
| Edit account | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account-d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 -d sts_region=ap-northeast-1 -d private_endpoint_enabled=1 -d sts_private_endpoint_url=<encode from actual value → https://vpce-endpoint_id-unique_id.sts.region.vpce.amazonaws.com> | |
| DELETE | Delete account | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account | 
AWS IAM Role¶
Manage or configure AWS IAM Role in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/<iam_role_name>
GET, POST, or DELETE
API for AWS IAM Role Account settings.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Name | Required | Default | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for AWS IAM role | 
| arn | 1 | - | AWS IAM role ARN | 
Examples
| GET | List of all iam roles | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles | 
| List specified iam role | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role | |
| POST | Create iam role | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles-d name=test_iam_role -d arn=<encode from actual value → arn:aws:iam::aws_account_id:role/AWSTestIAMRole> | 
| Edit iam role | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role-d arn=<encode from actual value → arn:aws:iam::aws_account_id:role/AWSTestIAMRole> | |
| DELETE | Delete iam role | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role | 
Billing (Cost and Usage Report)¶
Manage or configure Billing (Cost and Usage Report) inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/<billing_cur_input_name>
GET, POST, or DELETE
API for the AWS Billing (Cost and Usage) input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role name | 
| aws_s3_region | 0 | - | Region to connect with s3 service using regional endpoint | 
| bucket_region | 0 | - | Region of AWS s3 bucket | 
| bucket_name | 1 | - | Name of s3 bucket where reports are delivered to | 
| report_prefix | 0 | - | Prefixes used to allow AWS to deliver reports into a specified folder | 
| report_names | 0 | - | Regex used to filter reports by name | 
| temp_folder | 0 | - | Full path to a non-default folder for temporarily storing downloaded detailed billing report .zip files | 
| start_date | 0 | 90 days before input is configured | Collect data after this time. Format: %Y-%m | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1. | 
| s3_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with s3 service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with STS service. | 
| interval | 0 | 86400 | Data collection interval, in seconds | 
| sourcetype | 0 | aws:billing:cur | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur-d name=test_billing_cur_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d bucket_region=ap-south-1 -d report_prefix=test_report -d report_names=test_report_name.* -d temp_folder=test_temp_folder -d interval=1800 -d start_date=2023-01 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d bucket_region=ap-south-1 -d report_prefix=test_report -d report_names=test_report_name.* -d temp_folder=test_temp_folder -d interval=1800 -d start_date=2023-01 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input | 
CloudTrail¶
Manage or configure CloudTrail inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/<cloudtrail_input_name>
GET, POST, or DELETE
API for the AWS Cloudtrail input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_region | 1 | - | AWS region to collect data from | 
| sqs_queue | 1 | - | Name of the queue where AWS sends new Cloudtrail log notifications | 
| remove_files_when_done | 0 | 0 | Boolean value indicating whether Splunk should delete log files from S3 bucket after indexing | 
| exclude_describe_events | 0 | 1 | Boolean value indicating whether or not to exclude certain events, such as read-only events that can produce high volume of data | 
| blacklist | 0 | - | A PCRE regex that specifies event names to exclude if exclude_describe_events is set to True. Leave blank to use default regex ^(?:Describe | 
| excluded_events_index | 0 | - | Splunk index to put excluded events. Default is empty which discards the events | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1. | 
| s3_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with s3 service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with STS service. | 
| sqs_private_endpoint_enabled | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with sqs service service. | 
| interval | 0 | 30 | Data collection interval, in seconds | 
| sourcetype | 1 | aws:cloudtrail | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail` | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail-d name=test_cloudtrail_input -d aws_account=test_account -d aws_region=ap-south-1 -d sqs_queue=test_queue -d remove_files_when_done=0 -d exclude_describe_events=1 -d blacklist=<encode from actual value → test/.*> -d interval=3600 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input-d aws_account=test_account -d aws_region=ap-south-1 -d sqs_queue=test_queue -d remove_files_when_done=1 -d exclude_describe_events=1 -d blacklist=<encode from actual value → test/.*> -d excluded_events_index=test_idx -d interval=3600 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input | 
CloudTrail Lake¶
Manage or configure CloudTrail inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/<cloudtrail_input_name>
GET, POST, or DELETE
API for the CloudTrail input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input | 
| aws_account | 1 | - | AWS account name | 
| aws_iam_role | 0 | - | AWS IAM role | 
| aws_region | 1 | - | AWS region to collect data from | 
| input_mode | 1 | continuously_monitor | Input mode whether to collect data continuously or at once. | 
| event_data_store | 1 | - | The Cloudtrail Lake event data store from which the data are collected. | 
| start_date_time | 1 | 7 days ago | Start date/time to specify how far back to go when initially collecting data. | 
| end_date_time | 1 if input_mode is index_once | - | End date/time to specify upto which date input should collect the data. | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1 | 
| cloudtrail_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with cloudtrail service | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with sts service | 
| query_window_size | 1 | 15 | This parameter is used to control the chunk size. | 
| delay_throttle | 0 | 5 | This parameter specifies how close to “now” the end date for a query may be (where “now” is the time that the input runs). | 
| interval | 0 | If input_mode is continuously_monitor then 3600 | else -1 | 
| sourcetype | 0 | aws:cloudtrail:lake | Sourcetype of collected data | 
| index | 1 | default | Splunk index to ingest data. Default is main | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake-d name=test_cloudtrail_lake_input -d aws_account=test_account -d aws_region=ap-south-1 -d input_mode=continuously_monitor -d event_data_store=test_data_store -d start_date_time=2024-04-22T06:50:03 -d query_window_size=15 -d interval=3600 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input-d name=test_cloudtrail_lake_input -d aws_account=test_account -d aws_region=ap-south-1 -d input_mode=continuously_monitor -d event_data_store=test_data_store -d start_date_time=2024-04-22T06:50:03  -d query_window_size=15 -d interval=3600 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input | 
Cloudwatch¶
Manage or configure Cloudwatch inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/<cloudwatch_input_name>
GET, POST, or DELETE
API for the AWS Cloudwatch input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| aws_region | 1 | - | AWS region to collect data from | 
| metric_namespace | 0 | - | Cloudwatch metric namespace, for example AWS/EBS | 
| metric_names | 0 | 1800 | The input queries the CloudWatch Logs events no later than | 
| only_after | 0 | - | CloudWatch metric names in JSON array | 
| metric_dimensions | 0 | - | CloudWatch metric dimensions | 
| statistics | 0 | - | CloudWatch metric statistics, Specify either of Average, Sum, SampleCount, Maximum, Minimum | 
| period | 0 | 300 | CloudWatch metrics granularity, in seconds | 
| use_metric_format | 0 | false | Boolean indicating whether to transform data to metric format | 
| metric_expiration | 0 | 3600 | How long the discovered metrics would be cached for, in seconds | 
| query_window_size | 0 | 7200 | How far back to retrieve data points for, in number of data points | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1. | 
| monitoring_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with monitoring service. | 
| s3_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with s3 service. | 
| ec2_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with ec2 service. | 
| elb_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with elb service. | 
| lambda_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with lambda service. | 
| autoscaling_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with autoscaling service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with STS service. | 
| polling_interval | 0 | 600 | Data collection interval. | 
| sourcetype | 1 | aws:cloudwatch | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch` | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch-d name=test_cloudwatch_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ap-south-1,ap-northeast-1> -d metric_namespace=<encode from actual value → ["AWS/ApiGateway","AWS/ApiGateway","AWS/ApiGateway","AWS/EC2","AWS/EC2","AWS/EC2","AWS/EC2"]> -d metric_names=<encode from actual value → ["\".*\"","[\"CacheHitCount\",\"5XXError\"]","[\"4XXError\"]","\".*\"","[\"DiskReadBytes\",\"CPUUtilization\"]","[\"CPUUtilization\",\"DiskWriteBytes\"]","\".*\""]> -d metric_dimensions=<encode from actual value → ["[{\"ApiName\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"],\"Method\":[\".*\"],\"Resource\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"]}]","[{\"ImageId\":[\".*\"]}]","[{\"InstanceId\":[\".*\"]}]","[{\"AutoScalingGroupName\":[\".*\"]}]","[{\"InstanceType\":[\".*\"]}]"]> -d statistics=<encode from actual value → ["[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\",\"Sum\"]","[\"Maximum\",\"SampleCount\"]","[\"Average\",\"SampleCount\",\"Maximum\"]","[\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\"]","[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]"]> -d period=300 -d use_metric_format=false -d metric_expiration=3600 -d query_window_size=7200 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input-d aws_region=<encode from actual value → ap-south-1,ap-northeast-1> -d metric_namespace=<encode from actual value → ["AWS/ApiGateway","AWS/ApiGateway","AWS/ApiGateway","AWS/EC2","AWS/EC2","AWS/EC2","AWS/EC2"]> -d metric_names=<encode from actual value → ["\".*\"","[\"CacheHitCount\",\"5XXError\"]","[\"4XXError\"]","\".*\"","[\"DiskReadBytes\",\"CPUUtilization\"]","[\"CPUUtilization\",\"DiskWriteBytes\"]","\".*\""]> -d metric_dimensions=<encode from actual value → ["[{\"ApiName\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"],\"Method\":[\".*\"],\"Resource\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"]}]","[{\"ImageId\":[\".*\"]}]","[{\"InstanceId\":[\".*\"]}]","[{\"AutoScalingGroupName\":[\".*\"]}]","[{\"InstanceType\":[\".*\"]}]"]> -d statistics=<encode from actual value → ["[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\",\"Sum\"]","[\"Maximum\",\"SampleCount\"]","[\"Average\",\"SampleCount\",\"Maximum\"]","[\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\"]","[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]"]> -d period=300 -d use_metric_format=false -d metric_expiration=3600 -d query_window_size=7200 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input | 
CloudWatch Logs¶
Manage or configure CloudWatch Logs inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/<cloudwatch_logs_input_name>
GET, POST, or DELETE
API for the AWS CloudWatch Logs input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| region | 1 | - | AWS region to collect data from | 
| groups | 1 | - | Log group names to get data from, split by comma (,) | 
| only_after | 0 | 1970-01-01T00:00:00 | Only events after the specified GMT time are collected. Format: %Y-%m-%dT%H:%M:%S | 
| stream_matcher | 0 | .* | Regex to match log stream names for ingesting events | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1. | 
| sqs_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with SQS service. | 
| logs_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with logs service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with STS service. | 
| interval | 0 | 600 | Data collection interval. | 
| sourcetype | 1 | aws:cloudwatchlogs | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
| metric_index_flag | 0 | No | Whether to use metric index or event index. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs-d name=test_cloudwatch_logs_input -d account=test_account -d region=ap-south-1 -d groups=<encode from actual value → test-group-1,test-group-2> -d only_after=<encode from actual value → 2023-01-01T00:00:00> -d stream_matcher=<encode from actual value → test-stream.*> -d interval=300 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input-d account=test_account -d region=ap-south-1 -d groups=<encode from actual value → test-group-1,test-group-2> -d only_after=<encode from actual value → 2023-01-01T00:00:00> -d delay=900 -d stream_matcher=<encode from actual value → test-stream.*> -d interval=300 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input | 
Config Inputs¶
Manage or configure Config inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/<config_input_name>
GET, POST, or DELETE
API for the AWS Config input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input | 
| aws_account | 1 | - | AWS account name | 
| aws_region | 1 | - | AWS regions to collect data from | 
| sqs_queue | 1 | - | Sqs queue names where AWS sends Config notifications | 
| enable_additional_notifications | 0 | 0 | Deprecated | 
| polling_interval | 0 | 30 | Data collection interval, in seconds | 
| sourcetype | 0 | aws:config | Sourcetype of collected data | 
| index | 1 | default | Splunk index to ingest data. Default is main | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config-d name=test_config_input -d aws_account=test_account -d aws_region=<encode from actual value → ["ap-south-1","ap-south-1"]> -d sqs_queue=<encode from actual value → ["test-queue-1","-test-queue-2"]> -d polling_interval=30 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input-d aws_account=test_account -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queue=<encode from actual value → ["test-queue-1","-test-queue-2"]> -d polling_interval=30 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input | 
Config Rules inputs¶
Manage or configure Config Rules inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/<config_rule_input_name>
GET, POST, or DELETE
API for the AWS Config input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Name | Required | Default | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input | 
| account | 1 | - | AWS Account | 
| aws_iam_role | 0 | - | AWS IAM role | 
| region | 1 | - | JSON array specifying list of regions | 
| rule_names | 0 | - | JSON array specifying rule names. Leave blank to select all rules | 
| polling_interval | 0 | 300 | Data collection interval, in seconds | 
| sourcetype | 0 | aws:config:rule | Sourcetype of collected data | 
| index | 1 | default | Splunk index to ingest data. Default is main | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule-d name=test_config_rule_input -d account=test_account -d aws_iam_role=test_iam_role -d region=<encode from actual value → ["ap-northeast-3","ap-south-1"]> -d rule_names=<encode from actual value → ["test-rule-1","test-rule-2"]> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input-d account=test_account -d aws_iam_role=test_iam_role -d region=<encode from actual value → ["ap-northeast-3","ap-south-1"]> -d rule_names=<encode from actual value → ["test-rule-1","test-rule-2"]> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input | 
Generic S3 Input¶
Manage or configure Generic S3 inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/<generic_s3_input_name>
GET, POST, or DELETE
API for the AWS S3 input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| host_name | 0 | - | The host name of the S3 service. | 
| aws_s3_region | 0 | - | AWS region that contains the bucket. | 
| bucket_name | 1 | - | AWS S3 bucket name. | 
| key_name | 0 | - | S3 key prefix. | 
| parse_csv_with_header | 0 | 0 | If enabled, all files are parsed considering first line of each file as the header. Specify either 0 or 1. | 
| parse_csv_with_delimiter | 0 | , | Delimiter to consider while parsing csv files. | 
| initial_scan_datetime | 0 | - | Splunk relative time. Format: %Y-%m-%dT%H:%M:%SZ. | 
| terminal_scan_datetime | 0 | - | Only S3 keys modified before this datetime are considered. Format: %Y-%m-%dT%H:%M:%SZ. | 
| ct_blacklist | 0 | ^$ | Only valid if sourcetype is set to aws:cloudtrail. A PCRE regex that specifies events names to exclude. | 
| blacklist | 0 | - | Regex specifying S3 keys (folders) to ignore. | 
| whitelist | 0 | - | Regex specifying S3 keys (folders) to ignore. Overrides blacklist. | 
| ct_excluded_events_index | 0 | - | Name of index to put excluded events into. Keep empty to discard the events. | 
| max_retries | 0 | 3 | Max number of retry attempts to stream incomplete item. | 
| recursion_depth | 0 | -1 | Number specifying the depth of subfolders to scan. -1 specifies all subfolders (unconstrained). | 
| max_items | 0 | 100000 | Max trackable items. | 
| character_set | 0 | auto | The character encoding use in your S3 files. E.g. UTF-8. | 
| is_secure | 0 | - | Whether to use secure connection to AWS. | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1. | 
| s3_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with s3 service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with sts service. | 
| polling_interval | 0 | 1800 | Data collection interval, in seconds. | 
| sourcetype | 1 | aws:s3 | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3 | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3-d name=test_generic_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.ap-south-1.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=test-bucket -d key_name=TestData -d parse_csv_with_header=0 -d parse_csv_with_delimiter=<encode from actual value → ,> -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d terminal_scan_datetime=<encode from actual value → 2023-01-10T00:00:00Z> -d ct_blacklist=<encode from actual value → ^$> -d blacklist=<encode from actual value → Test/.*> -d whitelist=<encode from actual value → Data/.*> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.ap-south-1.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=test-bucket -d key_name=TestData -d parse_csv_with_header=0 -d parse_csv_with_delimiter=<encode from actual value → ,> -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d terminal_scan_datetime=<encode from actual value → 2023-01-10T00:00:00Z> -d ct_blacklist=<encode from actual value → ^$> -d blacklist=<encode from actual value → Test/.*> -d whitelist=<encode from actual value → Data/.*> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default -d recursion_depth=2 -d max_retries=5 | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input | 
Incremental S3 input¶
Manage or configure Incremental S3 inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/<incremental_s3_input_name>
GET, POST, or DELETE
API for the AWS Incremental S3 input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| host_name | 0 | - | The host name of the S3 service. | 
| aws_s3_region | 0 | - | The AWS region that contains the S3 bucket. | 
| bucket_name | 1 | - | The AWS S3 bucket name. | 
| log_type | 1 | - | The type of logs to ingest. Available log types are cloudtrail, elb:accesslogs, cloudfront:accesslogs and s3:accesslogs. | 
| log_file_prefix | 0 | - | Configure the prefix of log file, which along with other path elements, forms the URL under which the addon searches the log files. | 
| log_start_date | 0 | - | The start date of the log. Format: %Y-%m-%d. | 
| bucket_region | 0 | - | The AWS region where the S3 bucket exists. | 
| distribution_id | 0 | - | CloudFront distribution id. Specify only when creating input for collecting CloudFront access logs. | 
| max_fails | 0 | 10000 | Stop discovering new keys if the number of failed files exceeded max_fails. | 
| max_number_of_process | 0 | 2 | Maximum number of processes. | 
| max_number_of_thread | 0 | 4 | Maximum number of threads. | 
| max_retries | 0 | -1 | Max number of retries to collect data upon failing requests. Specify -1to retry until success. | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify 0 to disable, or 1 to enable. | 
| s3_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with the S3 service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with the STS service. | 
| interval | 0 | 1800 | Data collection interval, in seconds. | 
| sourcetype | 0 | aws:s3 | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs-d name=test_incremental_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input | 
Inspector input¶
Manage or configure Inspector inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/<inspector_input_name>
GET, POST, or DELETE
API for the Amazon Inspector input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| regions | 1 | - | AWS regions that contain your data. Enter region IDs in a comma-separated list. | 
| polling_interval | 1 | 300 | Data collection interval, in seconds. | 
| sourcetype | 1 | aws:inspector | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector-d name=test_inspector_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input | 
Inspector V2 input¶
Manage or configure Inspector V2 inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/<inspector_v2_input_name>
GET, POST, or DELETE
API for the Amazon Inspector V2 input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| regions | 1 | - | AWS regions that contain your data. Enter region IDs in a comma-separated list. | 
| polling_interval | 1 | 300 | Data collection interval, in seconds. | 
| sourcetype | 1 | aws:inspector:v2:findings | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2 | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2-d name=test_inspector_v2_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input | 
Kinesis input¶
Manage or configure Kinesis inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/<kinesis_input_name>
GET, POST, or DELETE
API for the AWS Kinesis input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| region | 1 | - | AWS region for Kinesis stream. | 
| stream_names | 1 | - | Kinesis stream names in a comma-separated list. Leave empty to collect all streams. | 
| init_stream_position | 0 | LATEST | Stream position from where to start collecting data. Specify either TRIM_HORIZON (starting) or LATEST (recent live data). | 
| encoding | 0 | - | Encoding of stream data. Set to gzipor leave blank, which defaults toBase64. | 
| format | 0 | - | Format of the collected data. Specify CloudWatchLogsor leave empty. | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify 0 to disable, or 1 to enable. | 
| kinesis_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with the Kinesis service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with the STS service. | 
| sourcetype | 0 | aws:kinesis | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
| metric_index_flag | 0 | No | Whether to use metric index or event index. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis-d name=test_kinesis_input -d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=LATEST -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input-d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=TRIM_HORIZON -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input | 
Metadata input¶
Manage or configure Metadata inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/<metadata_input_name>
GET, POST, or DELETE
API for the AWS Metadata input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| regions | 1 | - | AWS regions from where to get data, split by ‘,’. | 
| apis | 1 | - | APIs to collect data with, and intervals for each API, in the format of ec2_instances/3600,kinesis_stream/3600. | 
| sourcetype | 0 | aws:metadata | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata-d name=test_metadata_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input | 
SQS input¶
Manage or configure SQS inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/<sqs_input_name>
GET, POST, or DELETE
API for the AWS SQS input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| aws_region | 0 | - | List of AWS regions containing SQS queues. | 
| sqs_queues | 1 | - | AWS SQS queue names list, split by “,”. | 
| interval | 1 | 30 | Data collection interval. | 
| sourcetype | 0 | - | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs-d name=test_sqs_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input | 
SQS-Based S3 input¶
Manage or configure SQS-Based S3 inputs in the add-on.
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/<sqs_based_s3_input_name>
GET, POST, or DELETE
API for the AWS SQS-Based S3 input.
Request URL parameters
| Parameter | Default | Description | 
|---|---|---|
| output_mode | - | If output_mode=json, response is returned in JSON format. | 
Request body parameters
| Parameter | Required | Default value | Description | 
|---|---|---|---|
| name | 1 | - | Unique name for input. | 
| aws_account | 1 | - | AWS account name. | 
| aws_iam_role | 0 | - | AWS IAM role. | 
| using_dlq | 0 | 1 | Specify either 0 or 1 to disable or enable checking for dead letter queue (DLQ). | 
| sqs_sns_validation | 0 | 1 | Enable or disable SNS signature validation. Specify either 0 or 1. | 
| parse_csv_with_header | 0 | 0 | Enable parsing of CSV data with header. First line of file are considered as header. Specify either 0 or 1. | 
| parse_csv_with_delimiter | 0 | , | Enable parsing of CSV data by chosen delimiter. Specify delimiter for parsing csv file. | 
| sqs_queue_region | 1 | - | Name of the AWS region in which the notification queue is located. | 
| sqs_queue_url | 1 | - | Name of SQS queue to which notifications of S3 file(s) creation are sent. | 
| sqs_batch_size | 0 | 10 | Max number of messages to pull from SQS in one batch. | 
| s3_file_decoder | 1 | - | Name of a decoder which decodes files into events: CloudTrail, Config, S3 Access Logs, ELB Access Logs, CloudFront Access Logs, and CustomLogs. | 
| private_endpoint_enabled | 0 | - | Whether to use private endpoint. Specify either 0 or 1. | 
| sqs_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with SQS service. | 
| s3_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with s3 service. | 
| sts_private_endpoint_url | 1 if private_endpoint_enabled=1 | - | Private endpoint URL to connect with STS service. | 
| interval | 0 | 300 | Data collection interval. | 
| sourcetype | 1 | - | Sourcetype of collected data. | 
| index | 1 | default | Splunk index to ingest data. Default is main. | 
| metric_index_flag | 0 | No | Whether to use metric index or event index. | 
Examples
| GET | List of all inputs | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3 | 
| List specified input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input | |
| POST | Create input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3-d name=test_sqs_based_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → ,> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value →https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue> -d sqs_batch_size=10 -d s3_file_decoder=CustomLogs -d interval=300 -d sourcetype=test_sourcetype -d index=default | 
| Edit input | curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → |> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value →https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue> -d sqs_batch_size=10 -d s3_file_decoder=Config -d interval=300 -d sourcetype=test_sourcetype -d index=default | |
| DELETE | Delete input | curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input |