Skip to content

API reference for the Splunk Add-on for AWS

See the following sections for API reference information for the Splunk Add-on for AWS.

AWS Account

Manage or configure AWS accounts in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/<account_name>

GET, POST, or DELETE

API for AWS Account settings.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Name Required Type Description
name 1 - Unique name for AWS account
key_id 1 - AWS account key id
secret_key 1 - AWS account secret key
category 1 1 AWS account region category. Specify either 1, 2, or 4 (1 = Global, 2 = US Gov, 4 = China)

Examples
GET List of all accounts curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account
List specified account curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account
POST Create account curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account-d name=test_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1
Edit account curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account-d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1
DELETE Delete account curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account

AWS Private Account

Manage or configure AWS private accounts in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/<private_account_name>

GET, POST, or DELETE

API for AWS Private Account settings.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Name Required Default Description
name 1 - Unique name for AWS private account
key_id 1 - AWS private account key id
secret_key 1 - AWS private account secret key
category 1 - AWS private account region category. Specify either 1, 2, or 4 (1 = Global, 2 = US Gov, 4 = China)
sts_region 1 if using private endpoint - AWS region to be used for api calls of STS service
private_endpoint_enabled 0 - Whether to use user provided AWS private endpoints for making api calls to AWS services. Specify either 0 or 1
sts_private_endpoint_url 1 if using private endpoint - Required if private_endpoint_enabled=1. AWS private endpoint url

Examples
GET List of all accounts curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account
List specified account curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account
POST Create account curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account-d name=test_private_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 -d sts_region=ap-south-1 -d private_endpoint_enabled=1 -d sts_private_endpoint_url=<encode from actual value → https://vpce-endpoint_id-unique_id.sts.region.vpce.amazonaws.com>
Edit account curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account-d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 -d sts_region=ap-northeast-1 -d private_endpoint_enabled=1 -d sts_private_endpoint_url=<encode from actual value → https://vpce-endpoint_id-unique_id.sts.region.vpce.amazonaws.com>
DELETE Delete account curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account

AWS IAM Role

Manage or configure AWS IAM Role in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/<iam_role_name>

GET, POST, or DELETE

API for AWS IAM Role Account settings.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Name Required Default Description
name 1 - Unique name for AWS IAM role
arn 1 - AWS IAM role ARN

Examples
GET List of all iam roles curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles
List specified iam role curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role
POST Create iam role curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles-d name=test_iam_role -d arn=<encode from actual value → arn:aws:iam::aws_account_id:role/AWSTestIAMRole>
Edit iam role curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role-d arn=<encode from actual value → arn:aws:iam::aws_account_id:role/AWSTestIAMRole>
DELETE Delete iam role curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role

Billing (Cost and Usage Report)

Manage or configure Billing (Cost and Usage Report) inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/<billing_cur_input_name>

GET, POST, or DELETE

API for the AWS Billing (Cost and Usage) input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role name
aws_s3_region 0 - Region to connect with s3 service using regional endpoint
bucket_region 0 - Region of AWS s3 bucket
bucket_name 1 - Name of s3 bucket where reports are delivered to
report_prefix 0 - Prefixes used to allow AWS to deliver reports into a specified folder
report_names 0 - Regex used to filter reports by name
temp_folder 0 - Full path to a non-default folder for temporarily storing downloaded detailed billing report .zip files
start_date 0 90 days before input is configured Collect data after this time. Format = %Y-%m
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with s3 service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with STS service.
interval 0 86400 Data collection interval, in seconds
sourcetype 0 aws:billing:cur Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur-d name=test_billing_cur_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d bucket_region=ap-south-1 -d report_prefix=test_report -d report_names=test_report_name.* -d temp_folder=test_temp_folder -d interval=1800 -d start_date=2023-01 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d bucket_region=ap-south-1 -d report_prefix=test_report -d report_names=test_report_name.* -d temp_folder=test_temp_folder -d interval=1800 -d start_date=2023-01 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input

Billing (Legacy)

Manage or configure Billing (Legacy) inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/<billing_input_name>

GET, POST, or DELETE

API for the Billing (Legacy) input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role name
aws_s3_region 0 - Region to connect with s3 service using regional endpoint
host_name 0 - Host name of s3 service (s3.amazonaws.com)
bucket_name 1 - S3 bucket name which is configured to hold billing reports
monthly_report_type 0 Monthly cost allocation report Monthly report type. Specify either of the following:
  • None
  • Monthly report
  • Monthly cost allocation report
detail_report_type 0 Detailed billing report with resources and tags Detail report type. Specify either of the following:
  • None
  • Detailed billing report
  • Detailed billing report with resources and tags
temp_folder 0 - Full path to a non-default folder for temporarily storing downloaded detailed billing report .zip files
report_file_match_reg 0 - Regex for report selection. This expression overrides monthly_report_type and detail_report_type
recursion_depth 0 - Recursion depth in count when iterating child files and folders
monthly_timestamp_select_column_list 0 - Fields of timestamp extracted from monthly report, separated by |
detail_timestamp_select_column_list 0 - Fields of timestamp extracted from detail report, separated by |
time_format_list 0 - Time format extract from existing report, separated by |. Ex %Y-%m-%d %H:%M:%S
max_file_size_csv_in_bytes 50 MB - Max file size in CSV file format
max_file_size_csv_zip_in_bytes 1 GB - Max file size in CSV zip format
header_look_up_max_lines 0 - Max lines to look up header of billing report
header_magic_regex 0 - Regex of header to look up
monthly_real_timestamp_extraction 0 - For monthly report, regex to extract real timestamp in the report
monthly_real_timestamp_format_reg_list 0 - For monthly report, regex to match the format of real time string, seperated by |
initial_scan_datetime 0 - Timestamp for initial scan. Format = %Y-%m-%dT%H:%M:%SZ
interval 0 86400 Data collection interval, in seconds
sourcetype 0 aws:billing Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/test_billing_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing-d name=test_billing_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d host_name=s3.amazonaws.com -d bucket_name=testing-bucket-05 -d monthly_report_type="Monthly cost allocation report" -d detail_report_type="Detailed billing report with resources and tags" -d temp_folder=test_temp_folder -d recursion_depth=2 -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d interval=3600 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/test_billing_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d host_name=s3.amazonaws.com -d bucket_name=testing-bucket-05 -d monthly_report_type="Monthly cost allocation report" -d detail_report_type="Detailed billing report" -d temp_folder=test_temp_folder -d recursion_depth=1 -d interval=3600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/test_billing_input

Cloudtrail

Manage or configure Cloudtrail inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/<cloudtrail_input_name>

GET, POST, or DELETE

API for the AWS Cloudtrail input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_region 1 - AWS region to collect data from
sqs_queue 1 - Name of the queue where AWS sends new Cloudtrail log notifications
remove_files_when_done 0 0 Boolean value indicating whether Splunk should delete log files from S3 bucket after indexing
exclude_describe_events 0 1 Boolean value indicating whether or not to exclude certain events, such as read-only events that can produce high volume of data
blacklist 0 - A PCRE regex that specifies event names to exclude if exclude_describe_events is set to True. Leave blank to use default regex ^(?:Describe
excluded_events_index 0 - Splunk index to put excluded events. Default is empty which discards the events
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with s3 service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with STS service.
sqs_private_endpoint_enabled 1 if private_endpoint_enabled=1 - Private endpoint url to connect with sqs service service.
interval 0 30 Data collection interval, in seconds
sourcetype 1 aws:cloudtrail Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail`
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail-d name=test_cloudtrail_input -d aws_account=test_account -d aws_region=ap-south-1 -d sqs_queue=test_queue -d remove_files_when_done=0 -d exclude_describe_events=1 -d blacklist=<encode from actual value → test/.*> -d interval=3600 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input-d aws_account=test_account -d aws_region=ap-south-1 -d sqs_queue=test_queue -d remove_files_when_done=1 -d exclude_describe_events=1 -d blacklist=<encode from actual value → test/.*> -d excluded_events_index=test_idx -d interval=3600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input

Cloudtrail Lake

Manage or configure Cloudtrail inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/<cloudtrail_input_name>

GET, POST, or DELETE

API for the Cloudtrail input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input
aws_account 1 - AWS account name
aws_iam_role 0 - AWS IAM role
aws_region 1 - AWS region to collect data from
input_mode 1 continuously_monitor Input mode whether to collect data continuously or at once.
event_data_store 1 - The cloudtrail lake event data store from which the data will be collected.
start_date_time 1 7 days ago Start date/time to specify how far back to go when initially collecting data.
end_date_time 1 if input_mode is index_once - End date/time to specify upto which date input should collect the data.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1
cloudtrail_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with cloudtrail service
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with sts service
query_window_size 1 15 This parameter is used to control the chunk size.
delay_throttle 0 5 This parameter specifies how close to “now” the end date for a query may be (where “now” is the time that the input runs).
interval 0 If input_mode is continuously_monitor then 3600 else -1
sourcetype 0 aws:cloudtrail:lake Sourcetype of collected data
index 1 default Splunk index to ingest data. Default is main

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake-d name=test_cloudtrail_lake_input -d aws_account=test_account -d aws_region=ap-south-1 -d input_mode=continuously_monitor -d event_data_store=test_data_store -d start_date_time=2024-04-22T06:50:03 -d query_window_size=15 -d interval=3600 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input-d name=test_cloudtrail_lake_input -d aws_account=test_account -d aws_region=ap-south-1 -d input_mode=continuously_monitor -d event_data_store=test_data_store -d start_date_time=2024-04-22T06:50:03 -d query_window_size=15 -d interval=3600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input

Cloudwatch

Manage or configure Cloudwatch inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/<cloudwatch_input_name>

GET, POST, or DELETE

API for the AWS Cloudwatch input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
aws_region 1 - AWS region to collect data from
metric_namespace 0 - Cloudwatch metric namespace, for example AWS/EBS
metric_names 0 1800 The input will query the CloudWatch Logs events no later than seconds before now
only_after 0 - Cloudwatch metric names in JSON array
metric_dimensions 0 - Cloudwatch metric dimensions
statistics 0 - Cloudwatch metric statistics, Specify either of Average, Sum, SampleCount, Maximum, Minimum
period 0 300 Cloudwatch metrics granularity, in seconds
use_metric_format 0 false Boolean indicating whether to transform data to metric format
metric_expiration 0 3600 How long the discovered metrics would be cached for, in seconds
query_window_size 0 7200 How far back to retrieve data points for, in number of data points
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
monitoring_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with monitoring service.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with s3 service.
ec2_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with ec2 service.
elb_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with elb service.
lambda_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with lambda service.
autoscaling_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with autoscaling service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with STS service.
polling_interval 0 600 Data collection interval.
sourcetype 1 aws:cloudwatch Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch`
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch-d name=test_cloudwatch_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ap-south-1,ap-northeast-1> -d metric_namespace=<encode from actual value → ["AWS/ApiGateway","AWS/ApiGateway","AWS/ApiGateway","AWS/EC2","AWS/EC2","AWS/EC2","AWS/EC2"]> -d metric_names=<encode from actual value → ["\".*\"","[\"CacheHitCount\",\"5XXError\"]","[\"4XXError\"]","\".*\"","[\"DiskReadBytes\",\"CPUUtilization\"]","[\"CPUUtilization\",\"DiskWriteBytes\"]","\".*\""]> -d metric_dimensions=<encode from actual value → ["[{\"ApiName\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"],\"Method\":[\".*\"],\"Resource\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"]}]","[{\"ImageId\":[\".*\"]}]","[{\"InstanceId\":[\".*\"]}]","[{\"AutoScalingGroupName\":[\".*\"]}]","[{\"InstanceType\":[\".*\"]}]"]> -d statistics=<encode from actual value → ["[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\",\"Sum\"]","[\"Maximum\",\"SampleCount\"]","[\"Average\",\"SampleCount\",\"Maximum\"]","[\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\"]","[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]"]> -d period=300 -d use_metric_format=false -d metric_expiration=3600 -d query_window_size=7200 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input-d aws_region=<encode from actual value → ap-south-1,ap-northeast-1> -d metric_namespace=<encode from actual value → ["AWS/ApiGateway","AWS/ApiGateway","AWS/ApiGateway","AWS/EC2","AWS/EC2","AWS/EC2","AWS/EC2"]> -d metric_names=<encode from actual value → ["\".*\"","[\"CacheHitCount\",\"5XXError\"]","[\"4XXError\"]","\".*\"","[\"DiskReadBytes\",\"CPUUtilization\"]","[\"CPUUtilization\",\"DiskWriteBytes\"]","\".*\""]> -d metric_dimensions=<encode from actual value → ["[{\"ApiName\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"],\"Method\":[\".*\"],\"Resource\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"]}]","[{\"ImageId\":[\".*\"]}]","[{\"InstanceId\":[\".*\"]}]","[{\"AutoScalingGroupName\":[\".*\"]}]","[{\"InstanceType\":[\".*\"]}]"]> -d statistics=<encode from actual value → ["[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\",\"Sum\"]","[\"Maximum\",\"SampleCount\"]","[\"Average\",\"SampleCount\",\"Maximum\"]","[\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\"]","[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]"]> -d period=300 -d use_metric_format=false -d metric_expiration=3600 -d query_window_size=7200 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input

Cloudwatch Logs

Manage or configure Cloudwatch Logs inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/<cloudwatch_logs_input_name>

GET, POST, or DELETE

API for the AWS Cloudwatch Logs input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
region 1 - AWS region to collect data from
groups 1 - Log group names to get data from, split by comma (,)
only_after 0 1970-01-01T00:00:00 Only events after the specified GMT time will be collected. Format = %Y-%m-%dT%H:%M:%S
stream_matcher 0 .* Regex to match log stream names for ingesting events
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
sqs_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with SQS service.
logs_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with logs service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with STS service.
interval 0 600 Data collection interval.
sourcetype 1 aws:cloudwatchlogs Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.
metric_index_flag 0 No Whether to use metric index or event index.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs-d name=test_cloudwatch_logs_input -d account=test_account -d region=ap-south-1 -d groups=<encode from actual value → test-group-1,test-group-2> -d only_after=<encode from actual value → 2023-01-01T00:00:00> -d stream_matcher=<encode from actual value → test-stream.*> -d interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input-d account=test_account -d region=ap-south-1 -d groups=<encode from actual value → test-group-1,test-group-2> -d only_after=<encode from actual value → 2023-01-01T00:00:00> -d delay=900 -d stream_matcher=<encode from actual value → test-stream.*> -d interval=300 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input

Config inputs

Manage or configure Config inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/<config_input_name>

GET, POST, or DELETE

API for the AWS Config input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default Description
name 1 - Unique name for input
aws_account 1 - AWS account name
aws_region 1 - AWS regions to collect data from
sqs_queue 1 - Sqs queue names where AWS sends Config notifications
enable_additional_notifications 0 0 Deprecated
polling_interval 0 30 Data collection interval, in seconds
sourcetype 0 aws:config Sourcetype of collected data
index 1 default Splunk index to ingest data. Default is main

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config-d name=test_config_input -d aws_account=test_account -d aws_region=<encode from actual value → ["ap-south-1","ap-south-1"]> -d sqs_queue=<encode from actual value → ["test-queue-1","-test-queue-2"]> -d polling_interval=30 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input-d aws_account=test_account -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queue=<encode from actual value → ["test-queue-1","-test-queue-2"]> -d polling_interval=30 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input

Config Rules inputs

Manage or configure Config Rules inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/<config_rule_input_name>

GET, POST, or DELETE

API for the AWS Config input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Name Required Default Description
name 1 - Unique name for input
account 1 - AWS Account
aws_iam_role 0 - AWS IAM role
region 1 - JSON array specifying list of regions
rule_names 0 - JSON array specifying rule names. Leave blank to select all rules
polling_interval 0 300 Data collection interval, in seconds
sourcetype 0 aws:config:rule Sourcetype of collected data
index 1 default Splunk index to ingest data. Default is main

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule-d name=test_config_rule_input -d account=test_account -d aws_iam_role=test_iam_role -d region=<encode from actual value → ["ap-northeast-3","ap-south-1"]> -d rule_names=<encode from actual value → ["test-rule-1","test-rule-2"]> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input-d account=test_account -d aws_iam_role=test_iam_role -d region=<encode from actual value → ["ap-northeast-3","ap-south-1"]> -d rule_names=<encode from actual value → ["test-rule-1","test-rule-2"]> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input

Description input

https://<host>:<mPort>splunk_ta_aws_aws_description

API for AWS Description inputs.

GET, POST, or DELETE

API for AWS Description inputs.

Request parameters

Name Type Description
name Boolean true Name
account Boolean true AWS Account
aws_iam_role Boolean false Assume role
regions Boolean true AWS Regions
apis Boolean true APIs for the following information:
ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,classic_load_balancers/3600,application_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600,ec2_images/3600,ec2_addresses/3600,lambda_functions/3600,s3_buckets/3600
sourcetype Boolean true Sourcetype API for aws:description
index Boolean true Index

Generic S3 input

Manage or configure Generic S3 inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/<generic_s3_input_name>

GET, POST, or DELETE

API for the AWS S3 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
host_name 0 - The host name of the S3 service.
aws_s3_region 0 - AWS region that contains the bucket.
bucket_name 1 - AWS S3 bucket name.
key_name 0 - S3 key prefix.
parse_csv_with_header 0 0 If enabled, all files will be parsed considering first line of each file as the header. Specify either 0 or 1.
parse_csv_with_delimiter 0 , Delimiter to consider while parsing csv files.
initial_scan_datetime 0 - Splunk relative time. Format = %Y-%m-%dT%H:%M:%SZ.
terminal_scan_datetime 0 - Only S3 keys which have been modified before this datetime will be considered. Format = %Y-%m-%dT%H:%M:%SZ.
ct_blacklist 0 ^$ Only valid if sourcetype is set to aws:cloudtrail. A PCRE regex that specifies events names to exclude.
blacklist 0 - Regex specifying S3 keys (folders) to ignore.
whitelist 0 - Regex specifying S3 keys (folders) to ignore. Overrides blacklist.
ct_excluded_events_index 0 - Name of index to put excluded events into. Keep empty to discard the events.
max_retries 0 3 Max number of retry attempts to stream incomplete item.
recursion_depth 0 -1 Number specifying the depth of subfolders to scan. -1 specifies all subfolders (unconstrained).
max_items 0 100000 Max trackable items.
character_set 0 auto The character encoding use in your S3 files. E.g. UTF-8.
is_secure 0 - Whether to use secure connection to AWS.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with s3 service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with sts service.
polling_interval 0 1800 Data collection interval, in seconds.
sourcetype 1 aws:s3 Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3-d name=test_generic_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.ap-south-1.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=test-bucket -d key_name=TestData -d parse_csv_with_header=0 -d parse_csv_with_delimiter=<encode from actual value → ,> -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d terminal_scan_datetime=<encode from actual value → 2023-01-10T00:00:00Z> -d ct_blacklist=<encode from actual value → ^$> -d blacklist=<encode from actual value → Test/.*> -d whitelist=<encode from actual value → Data/.*> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.ap-south-1.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=test-bucket -d key_name=TestData -d parse_csv_with_header=0 -d parse_csv_with_delimiter=<encode from actual value → ,> -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d terminal_scan_datetime=<encode from actual value → 2023-01-10T00:00:00Z> -d ct_blacklist=<encode from actual value → ^$> -d blacklist=<encode from actual value → Test/.*> -d whitelist=<encode from actual value → Data/.*> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default -d recursion_depth=2 -d max_retries=5
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input

Incremental S3 input

Manage or configure Incremental S3 inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/<incremental_s3_input_name>

GET, POST, or DELETE

API for the AWS Incremental S3 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
host_name 0 - The host name of the S3 service.
aws_s3_region 0 - The AWS region that contains the S3 bucket.
bucket_name 1 - The AWS S3 bucket name.
log_type 1 - The type of logs to ingest. Available log types are cloudtrail, elb:accesslogs, cloudfront:accesslogs and s3:accesslogs.
log_file_prefix 0 - Configure the prefix of log file, which along with other path elements, forms the URL under which the addon searches the log files.
log_start_date 0 - The start date of the log. Format = %Y-%m-%d.
bucket_region 0 - The AWS region where the S3 bucket exists.
distribution_id 0 - CloudFront distribution id. Specify only when creating input for collecting CloudFront access logs.
max_fails 0 10000 Stop discovering new keys if the number of failed files exceeded max_fails.
max_number_of_process 0 2 Maximum number of processes.
max_number_of_thread 0 4 Maximum number of threads.
max_retries 0 -1 Max number of retries to collect data upon failing requests. Specify -1 to retry until success.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify 0 to disable, or 1 to enable.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the S3 service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the STS service.
interval 0 1800 Data collection interval, in seconds.
sourcetype 0 aws:s3 Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs-d name=test_incremental_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input

Inspector input

Manage or configure Inspector inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/<inspector_input_name>

GET, POST, or DELETE

API for the Amazon Inspector input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
regions 1 - AWS regions that contain your data. Enter region IDs in a comma-separated list.
polling_interval 1 300 Data collection interval, in seconds.
sourcetype 1 aws:inspector Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector-d name=test_inspector_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input

Inspector V2 input

Manage or configure Inspector V2 inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/<inspector_v2_input_name>

GET, POST, or DELETE

API for the Amazon Inspector V2 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
regions 1 - AWS regions that contain your data. Enter region IDs in a comma-separated list.
polling_interval 1 300 Data collection interval, in seconds.
sourcetype 1 aws:inspector:v2:findings Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2-d name=test_inspector_v2_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input

Kinesis input

Manage or configure Kinesis inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/<kinesis_input_name>

GET, POST, or DELETE

API for the AWS Kinesis input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
region 1 - AWS region for Kinesis stream.
stream_names 1 - Kinesis stream names in a comma-separated list. Leave empty to collect all streams.
init_stream_position 0 LATEST Stream position from where to start collecting data. Specify either TRIM_HORIZON (starting) or LATEST (recent live data).
encoding 0 - Encoding of stream data. Set to gzip or leave blank, which defaults to Base64.
format 0 - Format of the collected data. Specify CloudWatchLogs or leave empty.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify 0 to disable, or 1 to enable.
kinesis_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the Kinesis service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the STS service.
sourcetype 0 aws:kinesis Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.
metric_index_flag 0 No Whether to use metric index or event index.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis-d name=test_kinesis_input -d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=LATEST -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input-d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=TRIM_HORIZON -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input

Metadata input

Manage or configure Metadata inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/<metadata_input_name>

GET, POST, or DELETE

API for the AWS Metadata input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
regions 1 - AWS regions from where to get data, split by ‘,’.
apis 1 - APIs to collect data with, and intervals for each API, in the format of /. For example, ec2_instances/3600, kinesis_stream/3600.
sourcetype 0 aws:metadata Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata-d name=test_metadata_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input

SQS input

Manage or configure SQS inputs in the add-on.

API Endpoints

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/<sqs_input_name>

GET, POST, or DELETE

API for the AWS SQS input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
aws_region 0 - List of AWS regions containing SQS queues.
sqs_queues 1 - AWS SQS queue names list, split by “,”.
interval 1 30 Data collection interval.
sourcetype 0 - Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs-d name=test_sqs_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input

SQS-based S3 input

Manage or configure SQS-based S3 inputs in the add-on. 

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/<sqs_based_s3_input_name>

GET, POST, or DELETE

API for the AWS SQS-based S3 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
using_dlq 0 1 Specify either 0 or 1 to disable or enable checking for dead letter queue (DLQ).
sqs_sns_validation 0 1 Enable or disable SNS signature validation. Specify either 0 or 1.
parse_csv_with_header 0 0 Enable parsing of CSV data with header. First line of file will be considered as header. Specify either 0 or 1.
parse_csv_with_delimiter 0 , Enable parsing of CSV data by chosen delimiter. Specify delimiter for parsing csv file.
sqs_queue_region 1 - Name of the AWS region in which the notification queue is located.
sqs_queue_url 1 - Name of SQS queue to which notifications of S3 file(s) creation are sent.
sqs_batch_size 0 10 Max number of messages to pull from SQS in one batch.
s3_file_decoder 1 - Name of a decoder which decodes files into events: CloudTrail, Config, S3 Access Logs, ELB Access Logs, CloudFront Access Logs, and CustomLogs.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
sqs_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with SQS service.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with s3 service.
sts_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with STS service.
interval 0 300 Data collection interval.
sourcetype 1 - Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.
sns_max_age 1 96 Maximum age of the SNS message, in hours.
metric_index_flag 0 No Whether to use metric index or event index.

Examples
GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3-d name=test_sqs_based_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → ,> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value →https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue> -d sqs_batch_size=10 -d s3_file_decoder=CustomLogs -d interval=300 -d sourcetype=test_sourcetype -d index=default -d sns_max_age=96
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → |> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value →https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue> -d sqs_batch_size=10 -d s3_file_decoder=Config -d interval=300 -d sourcetype=test_sourcetype -d index=default -d sns_max_age=96
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input