API reference for the Splunk Add-on for AWS¶
See the following sections for API reference information for the Splunk Add-on for AWS.
AWS Account¶
Manage or configure AWS accounts in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/<account_name>
GET, POST, or DELETE
API for AWS Account settings.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode |
- | If output_mode=json, response is returned in JSON format. |
Request body parameters
Name | Required | Type | Description |
---|---|---|---|
name |
1 | - | Unique name for AWS account |
key_id |
1 | - | AWS account key id |
secret_key |
1 | - | AWS account secret key |
category |
1 | 1 | AWS account region category. Specify either 1, 2, or 4 (1 = Global, 2 = US Gov, 4 = China) |
Examples
GET | List of all accounts | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account |
List specified account | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account |
|
POST | Create account | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account -d name=test_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 |
Edit account | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 |
|
DELETE | Delete account | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_account/test_account |
AWS Private Account¶
Manage or configure AWS private accounts in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/<private_account_name>
GET, POST, or DELETE
API for AWS Private Account settings.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json, response is returned in JSON format. |
Request body parameters
Name | Required | Default | Description |
---|---|---|---|
name |
1 | - | Unique name for AWS private account |
key_id |
1 | - | AWS private account key id |
secret_key |
1 | - | AWS private account secret key |
category |
1 | - | AWS private account region category. Specify either 1, 2, or 4 (1 = Global, 2 = US Gov, 4 = China) |
sts_region |
1 if using private endpoint | - | AWS region to be used for api calls of STS service |
private_endpoint_enabled |
0 | - | Whether to use user provided AWS private endpoints for making api calls to AWS services. Specify either 0 or 1 |
sts_private_endpoint_url |
1 if using private endpoint | - | Required if private_endpoint_enabled=1. AWS private endpoint url |
Examples
GET | List of all accounts | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account |
List specified account | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account |
|
POST | Create account | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account -d name=test_private_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 -d sts_region=ap-south-1 -d private_endpoint_enabled=1 -d sts_private_endpoint_url=<encode from actual value → https://vpce-endpoint_id-unique_id.sts.region.vpce.amazonaws.com> |
Edit account | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account -d key_id=<aws_account_key_id> -d secret_key=<aws_account_secret_key> -d category=1 -d sts_region=ap-northeast-1 -d private_endpoint_enabled=1 -d sts_private_endpoint_url=<encode from actual value → https://vpce-endpoint_id-unique_id.sts.region.vpce.amazonaws.com> |
|
DELETE | Delete account | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_private_account/test_private_account |
AWS IAM Role¶
Manage or configure AWS IAM Role in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/<iam_role_name>
GET, POST, or DELETE
API for AWS IAM Role Account settings.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json, response is returned in JSON format. |
Request body parameters
Name | Required | Default | Description |
---|---|---|---|
name |
1 | - | Unique name for AWS IAM role |
arn |
1 | - | AWS IAM role ARN |
Examples
GET | List of all iam roles | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles |
List specified iam role | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role |
|
POST | Create iam role | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles -d name=test_iam_role -d arn=<encode from actual value → arn:aws:iam::aws_account_id:role/AWSTestIAMRole> |
Edit iam role | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role -d arn=<encode from actual value → arn:aws:iam::aws_account_id:role/AWSTestIAMRole> |
|
DELETE | Delete iam role | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_iam_roles/test_iam_role |
Billing (Cost and Usage Report)¶
Manage or configure Billing (Cost and Usage Report) inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/<billing_cur_input_name>
GET, POST, or DELETE
API for the AWS Billing (Cost and Usage) input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role name |
aws_s3_region |
0 | - | Region to connect with s3 service using regional endpoint |
bucket_region |
0 | - | Region of AWS s3 bucket |
bucket_name |
1 | - | Name of s3 bucket where reports are delivered to |
report_prefix |
0 | - | Prefixes used to allow AWS to deliver reports into a specified folder |
report_names |
0 | - | Regex used to filter reports by name |
temp_folder |
0 | - | Full path to a non-default folder for temporarily storing downloaded detailed billing report .zip files |
start_date |
0 | 90 days before input is configured | Collect data after this time. Format = %Y-%m |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1. |
s3_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with s3 service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with STS service. |
interval |
0 | 86400 | Data collection interval, in seconds |
sourcetype |
0 | aws:billing:cur | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur -d name=test_billing_cur_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d bucket_region=ap-south-1 -d report_prefix=test_report -d report_names=test_report_name.* -d temp_folder=test_temp_folder -d interval=1800 -d start_date=2023-01 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d bucket_region=ap-south-1 -d report_prefix=test_report -d report_names=test_report_name.* -d temp_folder=test_temp_folder -d interval=1800 -d start_date=2023-01 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing_cur/test_billing_cur_input |
Billing (Legacy)¶
Manage or configure Billing (Legacy) inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/<billing_input_name>
GET, POST, or DELETE
API for the Billing (Legacy) input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role name |
aws_s3_region |
0 | - | Region to connect with s3 service using regional endpoint |
host_name |
0 | - | Host name of s3 service (s3.amazonaws.com) |
bucket_name |
1 | - | S3 bucket name which is configured to hold billing reports |
monthly_report_type |
0 | Monthly cost allocation report | Monthly report type. Specify either of the following:
|
detail_report_type |
0 | Detailed billing report with resources and tags | Detail report type. Specify either of the following:
|
temp_folder |
0 | - | Full path to a non-default folder for temporarily storing downloaded detailed billing report .zip files |
report_file_match_reg |
0 | - | Regex for report selection. This expression overrides monthly_report_type and detail_report_type |
recursion_depth |
0 | - | Recursion depth in count when iterating child files and folders |
monthly_timestamp_select_column_list |
0 | - | Fields of timestamp extracted from monthly report, separated by | |
detail_timestamp_select_column_list |
0 | - | Fields of timestamp extracted from detail report, separated by | |
time_format_list |
0 | - | Time format extract from existing report, separated by |. Ex %Y-%m-%d %H:%M:%S |
max_file_size_csv_in_bytes |
50 MB | - | Max file size in CSV file format |
max_file_size_csv_zip_in_bytes |
1 GB | - | Max file size in CSV zip format |
header_look_up_max_lines |
0 | - | Max lines to look up header of billing report |
header_magic_regex |
0 | - | Regex of header to look up |
monthly_real_timestamp_extraction |
0 | - | For monthly report, regex to extract real timestamp in the report |
monthly_real_timestamp_format_reg_list |
0 | - | For monthly report, regex to match the format of real time string, seperated by | |
initial_scan_datetime |
0 | - | Timestamp for initial scan. Format = %Y-%m-%dT%H:%M:%SZ |
interval |
0 | 86400 | Data collection interval, in seconds |
sourcetype |
0 | aws:billing | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/test_billing_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing -d name=test_billing_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d host_name=s3.amazonaws.com -d bucket_name=testing-bucket-05 -d monthly_report_type="Monthly cost allocation report" -d detail_report_type="Detailed billing report with resources and tags" -d temp_folder=test_temp_folder -d recursion_depth=2 -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d interval=3600 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/test_billing_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_s3_region=ap-south-1 -d host_name=s3.amazonaws.com -d bucket_name=testing-bucket-05 -d monthly_report_type="Monthly cost allocation report" -d detail_report_type="Detailed billing report" -d temp_folder=test_temp_folder -d recursion_depth=1 -d interval=3600 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_billing/test_billing_input |
Cloudtrail¶
Manage or configure Cloudtrail inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/<cloudtrail_input_name>
GET, POST, or DELETE
API for the AWS Cloudtrail input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_region |
1 | - | AWS region to collect data from |
sqs_queue |
1 | - | Name of the queue where AWS sends new Cloudtrail log notifications |
remove_files_when_done |
0 | 0 | Boolean value indicating whether Splunk should delete log files from S3 bucket after indexing |
exclude_describe_events |
0 | 1 | Boolean value indicating whether or not to exclude certain events, such as read-only events that can produce high volume of data |
blacklist |
0 | - | A PCRE regex that specifies event names to exclude if exclude_describe_events is set to True. Leave blank to use default regex ^(?:Describe |
excluded_events_index |
0 | - | Splunk index to put excluded events. Default is empty which discards the events |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1. |
s3_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with s3 service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with STS service. |
sqs_private_endpoint_enabled |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with sqs service service. |
interval |
0 | 30 | Data collection interval, in seconds |
sourcetype |
1 | aws:cloudtrail | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail` |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail -d name=test_cloudtrail_input -d aws_account=test_account -d aws_region=ap-south-1 -d sqs_queue=test_queue -d remove_files_when_done=0 -d exclude_describe_events=1 -d blacklist=<encode from actual value → test/.*> -d interval=3600 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input -d aws_account=test_account -d aws_region=ap-south-1 -d sqs_queue=test_queue -d remove_files_when_done=1 -d exclude_describe_events=1 -d blacklist=<encode from actual value → test/.*> -d excluded_events_index=test_idx -d interval=3600 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail/test_cloudtrail_input |
Cloudtrail Lake¶
Manage or configure Cloudtrail inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/<cloudtrail_input_name>
GET, POST, or DELETE
API for the Cloudtrail input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json, response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input |
aws_account |
1 | - | AWS account name |
aws_iam_role |
0 | - | AWS IAM role |
aws_region |
1 | - | AWS region to collect data from |
input_mode |
1 | continuously_monitor | Input mode whether to collect data continuously or at once. |
event_data_store |
1 | - | The cloudtrail lake event data store from which the data will be collected. |
start_date_time |
1 | 7 days ago | Start date/time to specify how far back to go when initially collecting data. |
end_date_time |
1 if input_mode is index_once | - | End date/time to specify upto which date input should collect the data. |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1 |
cloudtrail_private_endpoint_url |
1 if private_endpoint_enabled=1 | - | Private endpoint url to connect with cloudtrail service |
sts_private_endpoint_url |
1 if private_endpoint_enabled=1 | - | Private endpoint url to connect with sts service |
query_window_size |
1 | 15 | This parameter is used to control the chunk size. |
delay_throttle |
0 | 5 | This parameter specifies how close to “now” the end date for a query may be (where “now” is the time that the input runs). |
interval |
0 | If input_mode is continuously_monitor then 3600 | else -1 |
sourcetype |
0 | aws:cloudtrail:lake | Sourcetype of collected data |
index |
1 | default | Splunk index to ingest data. Default is main |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake -d name=test_cloudtrail_lake_input -d aws_account=test_account -d aws_region=ap-south-1 -d input_mode=continuously_monitor -d event_data_store=test_data_store -d start_date_time=2024-04-22T06:50:03 -d query_window_size=15 -d interval=3600 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input -d name=test_cloudtrail_lake_input -d aws_account=test_account -d aws_region=ap-south-1 -d input_mode=continuously_monitor -d event_data_store=test_data_store -d start_date_time=2024-04-22T06:50:03 -d query_window_size=15 -d interval=3600 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudtrail_lake/test_cloudtrail_lake_input |
Cloudwatch¶
Manage or configure Cloudwatch inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/<cloudwatch_input_name>
GET, POST, or DELETE
API for the AWS Cloudwatch input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
aws_region |
1 | - | AWS region to collect data from |
metric_namespace |
0 | - | Cloudwatch metric namespace, for example AWS/EBS |
metric_names |
0 | 1800 | The input will query the CloudWatch Logs events no later than |
only_after |
0 | - | Cloudwatch metric names in JSON array |
metric_dimensions |
0 | - | Cloudwatch metric dimensions |
statistics |
0 | - | Cloudwatch metric statistics, Specify either of Average, Sum, SampleCount, Maximum, Minimum |
period |
0 | 300 | Cloudwatch metrics granularity, in seconds |
use_metric_format |
0 | false | Boolean indicating whether to transform data to metric format |
metric_expiration |
0 | 3600 | How long the discovered metrics would be cached for, in seconds |
query_window_size |
0 | 7200 | How far back to retrieve data points for, in number of data points |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1. |
monitoring_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with monitoring service. |
s3_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with s3 service. |
ec2_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with ec2 service. |
elb_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with elb service. |
lambda_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with lambda service. |
autoscaling_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with autoscaling service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with STS service. |
polling_interval |
0 | 600 | Data collection interval. |
sourcetype |
1 | aws:cloudwatch | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch` |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch -d name=test_cloudwatch_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ap-south-1,ap-northeast-1> -d metric_namespace=<encode from actual value → ["AWS/ApiGateway","AWS/ApiGateway","AWS/ApiGateway","AWS/EC2","AWS/EC2","AWS/EC2","AWS/EC2"]> -d metric_names=<encode from actual value → ["\".*\"","[\"CacheHitCount\",\"5XXError\"]","[\"4XXError\"]","\".*\"","[\"DiskReadBytes\",\"CPUUtilization\"]","[\"CPUUtilization\",\"DiskWriteBytes\"]","\".*\""]> -d metric_dimensions=<encode from actual value → ["[{\"ApiName\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"],\"Method\":[\".*\"],\"Resource\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"]}]","[{\"ImageId\":[\".*\"]}]","[{\"InstanceId\":[\".*\"]}]","[{\"AutoScalingGroupName\":[\".*\"]}]","[{\"InstanceType\":[\".*\"]}]"]> -d statistics=<encode from actual value → ["[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\",\"Sum\"]","[\"Maximum\",\"SampleCount\"]","[\"Average\",\"SampleCount\",\"Maximum\"]","[\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\"]","[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]"]> -d period=300 -d use_metric_format=false -d metric_expiration=3600 -d query_window_size=7200 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input -d aws_region=<encode from actual value → ap-south-1,ap-northeast-1> -d metric_namespace=<encode from actual value → ["AWS/ApiGateway","AWS/ApiGateway","AWS/ApiGateway","AWS/EC2","AWS/EC2","AWS/EC2","AWS/EC2"]> -d metric_names=<encode from actual value → ["\".*\"","[\"CacheHitCount\",\"5XXError\"]","[\"4XXError\"]","\".*\"","[\"DiskReadBytes\",\"CPUUtilization\"]","[\"CPUUtilization\",\"DiskWriteBytes\"]","\".*\""]> -d metric_dimensions=<encode from actual value → ["[{\"ApiName\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"],\"Method\":[\".*\"],\"Resource\":[\".*\"],\"Stage\":[\".*\"]}]","[{\"ApiName\":[\".*\"]}]","[{\"ImageId\":[\".*\"]}]","[{\"InstanceId\":[\".*\"]}]","[{\"AutoScalingGroupName\":[\".*\"]}]","[{\"InstanceType\":[\".*\"]}]"]> -d statistics=<encode from actual value → ["[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\",\"Sum\"]","[\"Maximum\",\"SampleCount\"]","[\"Average\",\"SampleCount\",\"Maximum\"]","[\"SampleCount\",\"Maximum\",\"Minimum\"]","[\"Average\"]","[\"Average\",\"Sum\",\"SampleCount\",\"Maximum\",\"Minimum\"]"]> -d period=300 -d use_metric_format=false -d metric_expiration=3600 -d query_window_size=7200 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch/test_cloudwatch_input |
Cloudwatch Logs¶
Manage or configure Cloudwatch Logs inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/<cloudwatch_logs_input_name>
GET, POST, or DELETE
API for the AWS Cloudwatch Logs input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
region |
1 | - | AWS region to collect data from |
groups |
1 | - | Log group names to get data from, split by comma (,) |
only_after |
0 | 1970-01-01T00:00:00 | Only events after the specified GMT time will be collected. Format = %Y-%m-%dT%H:%M:%S |
stream_matcher |
0 | .* | Regex to match log stream names for ingesting events |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1. |
sqs_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with SQS service. |
logs_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with logs service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with STS service. |
interval |
0 | 600 | Data collection interval. |
sourcetype |
1 | aws:cloudwatchlogs | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
metric_index_flag |
0 | No | Whether to use metric index or event index. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs -d name=test_cloudwatch_logs_input -d account=test_account -d region=ap-south-1 -d groups=<encode from actual value → test-group-1,test-group-2> -d only_after=<encode from actual value → 2023-01-01T00:00:00> -d stream_matcher=<encode from actual value → test-stream.*> -d interval=300 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input -d account=test_account -d region=ap-south-1 -d groups=<encode from actual value → test-group-1,test-group-2> -d only_after=<encode from actual value → 2023-01-01T00:00:00> -d delay=900 -d stream_matcher=<encode from actual value → test-stream.*> -d interval=300 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_cloudwatch_logs/test_cloudwatch_logs_input |
Config inputs¶
Manage or configure Config inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/<config_input_name>
GET, POST, or DELETE
API for the AWS Config input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default | Description |
---|---|---|---|
name |
1 | - | Unique name for input |
aws_account |
1 | - | AWS account name |
aws_region |
1 | - | AWS regions to collect data from |
sqs_queue |
1 | - | Sqs queue names where AWS sends Config notifications |
enable_additional_notifications |
0 | 0 | Deprecated |
polling_interval |
0 | 30 | Data collection interval, in seconds |
sourcetype |
0 | aws:config | Sourcetype of collected data |
index |
1 | default | Splunk index to ingest data. Default is main |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config -d name=test_config_input -d aws_account=test_account -d aws_region=<encode from actual value → ["ap-south-1","ap-south-1"]> -d sqs_queue=<encode from actual value → ["test-queue-1","-test-queue-2"]> -d polling_interval=30 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input -d aws_account=test_account -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queue=<encode from actual value → ["test-queue-1","-test-queue-2"]> -d polling_interval=30 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config/test_config_input |
Config Rules inputs¶
Manage or configure Config Rules inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/<config_rule_input_name>
GET, POST, or DELETE
API for the AWS Config input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Name | Required | Default | Description |
---|---|---|---|
name |
1 | - | Unique name for input |
account |
1 | - | AWS Account |
aws_iam_role |
0 | - | AWS IAM role |
region |
1 | - | JSON array specifying list of regions |
rule_names |
0 | - | JSON array specifying rule names. Leave blank to select all rules |
polling_interval |
0 | 300 | Data collection interval, in seconds |
sourcetype |
0 | aws:config:rule | Sourcetype of collected data |
index |
1 | default | Splunk index to ingest data. Default is main |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule -d name=test_config_rule_input -d account=test_account -d aws_iam_role=test_iam_role -d region=<encode from actual value → ["ap-northeast-3","ap-south-1"]> -d rule_names=<encode from actual value → ["test-rule-1","test-rule-2"]> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input -d account=test_account -d aws_iam_role=test_iam_role -d region=<encode from actual value → ["ap-northeast-3","ap-south-1"]> -d rule_names=<encode from actual value → ["test-rule-1","test-rule-2"]> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_config_rule/test_config_rule_input |
Description input¶
https://<host>:<mPort>splunk_ta_aws_aws_description
API for AWS Description inputs.
GET, POST, or DELETE
API for AWS Description inputs.
Request parameters
Name | Type | Description |
---|---|---|
name | Boolean true |
Name |
account | Boolean true |
AWS Account |
aws_iam_role | Boolean false |
Assume role |
regions | Boolean true |
AWS Regions |
apis | Boolean true |
APIs for the following information:ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,classic_load_balancers/3600,application_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600,ec2_images/3600,ec2_addresses/3600,lambda_functions/3600,s3_buckets/3600 |
sourcetype | Boolean true |
Sourcetype API for aws:description |
index | Boolean true |
Index |
Generic S3 input¶
Manage or configure Generic S3 inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/<generic_s3_input_name>
GET, POST, or DELETE
API for the AWS S3 input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
host_name |
0 | - | The host name of the S3 service. |
aws_s3_region |
0 | - | AWS region that contains the bucket. |
bucket_name |
1 | - | AWS S3 bucket name. |
key_name |
0 | - | S3 key prefix. |
parse_csv_with_header |
0 | 0 | If enabled, all files will be parsed considering first line of each file as the header. Specify either 0 or 1. |
parse_csv_with_delimiter |
0 | , | Delimiter to consider while parsing csv files. |
initial_scan_datetime |
0 | - | Splunk relative time. Format = %Y-%m-%dT%H:%M:%SZ. |
terminal_scan_datetime |
0 | - | Only S3 keys which have been modified before this datetime will be considered. Format = %Y-%m-%dT%H:%M:%SZ. |
ct_blacklist |
0 | ^$ | Only valid if sourcetype is set to aws:cloudtrail. A PCRE regex that specifies events names to exclude. |
blacklist |
0 | - | Regex specifying S3 keys (folders) to ignore. |
whitelist |
0 | - | Regex specifying S3 keys (folders) to ignore. Overrides blacklist. |
ct_excluded_events_index |
0 | - | Name of index to put excluded events into. Keep empty to discard the events. |
max_retries |
0 | 3 | Max number of retry attempts to stream incomplete item. |
recursion_depth |
0 | -1 | Number specifying the depth of subfolders to scan. -1 specifies all subfolders (unconstrained). |
max_items |
0 | 100000 | Max trackable items. |
character_set |
0 | auto | The character encoding use in your S3 files. E.g. UTF-8. |
is_secure |
0 | - | Whether to use secure connection to AWS. |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1. |
s3_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with s3 service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with sts service. |
polling_interval |
0 | 1800 | Data collection interval, in seconds. |
sourcetype |
1 | aws:s3 | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3 |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3 -d name=test_generic_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.ap-south-1.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=test-bucket -d key_name=TestData -d parse_csv_with_header=0 -d parse_csv_with_delimiter=<encode from actual value → ,> -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d terminal_scan_datetime=<encode from actual value → 2023-01-10T00:00:00Z> -d ct_blacklist=<encode from actual value → ^$> -d blacklist=<encode from actual value → Test/.*> -d whitelist=<encode from actual value → Data/.*> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.ap-south-1.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=test-bucket -d key_name=TestData -d parse_csv_with_header=0 -d parse_csv_with_delimiter=<encode from actual value → ,> -d initial_scan_datetime=<encode from actual value → 2023-01-01T00:00:00Z> -d terminal_scan_datetime=<encode from actual value → 2023-01-10T00:00:00Z> -d ct_blacklist=<encode from actual value → ^$> -d blacklist=<encode from actual value → Test/.*> -d whitelist=<encode from actual value → Data/.*> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default -d recursion_depth=2 -d max_retries=5 |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_s3/test_generic_s3_input |
Incremental S3 input¶
Manage or configure Incremental S3 inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/<incremental_s3_input_name>
GET, POST, or DELETE
API for the AWS Incremental S3 input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
host_name |
0 | - | The host name of the S3 service. |
aws_s3_region |
0 | - | The AWS region that contains the S3 bucket. |
bucket_name |
1 | - | The AWS S3 bucket name. |
log_type |
1 | - | The type of logs to ingest. Available log types are cloudtrail, elb:accesslogs, cloudfront:accesslogs and s3:accesslogs. |
log_file_prefix |
0 | - | Configure the prefix of log file, which along with other path elements, forms the URL under which the addon searches the log files. |
log_start_date |
0 | - | The start date of the log. Format = %Y-%m-%d. |
bucket_region |
0 | - | The AWS region where the S3 bucket exists. |
distribution_id |
0 | - | CloudFront distribution id. Specify only when creating input for collecting CloudFront access logs. |
max_fails |
0 | 10000 | Stop discovering new keys if the number of failed files exceeded max_fails. |
max_number_of_process |
0 | 2 | Maximum number of processes. |
max_number_of_thread |
0 | 4 | Maximum number of threads. |
max_retries |
0 | -1 | Max number of retries to collect data upon failing requests. Specify -1 to retry until success. |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify 0 to disable, or 1 to enable. |
s3_private_endpoint_url |
1 if private_endpoint_enabled=1 |
- | Private endpoint url to connect with the S3 service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled=1 |
- | Private endpoint url to connect with the STS service. |
interval |
0 | 1800 | Data collection interval, in seconds. |
sourcetype |
0 | aws:s3 |
Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs -d name=test_incremental_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input |
Inspector input¶
Manage or configure Inspector inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/<inspector_input_name>
GET, POST, or DELETE
API for the Amazon Inspector input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
regions |
1 | - | AWS regions that contain your data. Enter region IDs in a comma-separated list. |
polling_interval |
1 | 300 | Data collection interval, in seconds. |
sourcetype |
1 | aws:inspector |
Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector -d name=test_inspector_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input |
Inspector V2 input¶
Manage or configure Inspector V2 inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/<inspector_v2_input_name>
GET, POST, or DELETE
API for the Amazon Inspector V2 input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
regions |
1 | - | AWS regions that contain your data. Enter region IDs in a comma-separated list. |
polling_interval |
1 | 300 | Data collection interval, in seconds. |
sourcetype |
1 | aws:inspector:v2:findings |
Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2 |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2 -d name=test_inspector_v2_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input |
Kinesis input¶
Manage or configure Kinesis inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/<kinesis_input_name>
GET, POST, or DELETE
API for the AWS Kinesis input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
region |
1 | - | AWS region for Kinesis stream. |
stream_names |
1 | - | Kinesis stream names in a comma-separated list. Leave empty to collect all streams. |
init_stream_position |
0 | LATEST | Stream position from where to start collecting data. Specify either TRIM_HORIZON (starting) or LATEST (recent live data). |
encoding |
0 | - | Encoding of stream data. Set to gzip or leave blank, which defaults to Base64 . |
format |
0 | - | Format of the collected data. Specify CloudWatchLogs or leave empty. |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify 0 to disable, or 1 to enable. |
kinesis_private_endpoint_url |
1 if private_endpoint_enabled=1 |
- | Private endpoint url to connect with the Kinesis service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled=1 |
- | Private endpoint url to connect with the STS service. |
sourcetype |
0 | aws:kinesis |
Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
metric_index_flag |
0 | No | Whether to use metric index or event index. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis -d name=test_kinesis_input -d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=LATEST -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input -d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=TRIM_HORIZON -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input |
Metadata input¶
Manage or configure Metadata inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/<metadata_input_name>
GET, POST, or DELETE
API for the AWS Metadata input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
regions |
1 | - | AWS regions from where to get data, split by ‘,’. |
apis |
1 | - | APIs to collect data with, and intervals for each API, in the format of ec2_instances/3600 , kinesis_stream/3600 . |
sourcetype |
0 | aws:metadata |
Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata -d name=test_metadata_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input |
SQS input¶
Manage or configure SQS inputs in the add-on.
API Endpoints
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/<sqs_input_name>
GET, POST, or DELETE
API for the AWS SQS input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
aws_region |
0 | - | List of AWS regions containing SQS queues. |
sqs_queues |
1 | - | AWS SQS queue names list, split by “,”. |
interval |
1 | 30 | Data collection interval. |
sourcetype |
0 | - | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs -d name=test_sqs_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input |
SQS-based S3 input¶
Manage or configure SQS-based S3 inputs in the add-on.
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3
https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/<sqs_based_s3_input_name>
GET, POST, or DELETE
API for the AWS SQS-based S3 input.
Request URL parameters
Parameter | Default | Description |
---|---|---|
output_mode | - | If output_mode=json , response is returned in JSON format. |
Request body parameters
Parameter | Required | Default value | Description |
---|---|---|---|
name |
1 | - | Unique name for input. |
aws_account |
1 | - | AWS account name. |
aws_iam_role |
0 | - | AWS IAM role. |
using_dlq |
0 | 1 | Specify either 0 or 1 to disable or enable checking for dead letter queue (DLQ). |
sqs_sns_validation |
0 | 1 | Enable or disable SNS signature validation. Specify either 0 or 1. |
parse_csv_with_header |
0 | 0 | Enable parsing of CSV data with header. First line of file will be considered as header. Specify either 0 or 1. |
parse_csv_with_delimiter |
0 | , | Enable parsing of CSV data by chosen delimiter. Specify delimiter for parsing csv file. |
sqs_queue_region |
1 | - | Name of the AWS region in which the notification queue is located. |
sqs_queue_url |
1 | - | Name of SQS queue to which notifications of S3 file(s) creation are sent. |
sqs_batch_size |
0 | 10 | Max number of messages to pull from SQS in one batch. |
s3_file_decoder |
1 | - | Name of a decoder which decodes files into events: CloudTrail, Config, S3 Access Logs, ELB Access Logs, CloudFront Access Logs, and CustomLogs. |
private_endpoint_enabled |
0 | - | Whether to use private endpoint. Specify either 0 or 1. |
sqs_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with SQS service. |
s3_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with s3 service. |
sts_private_endpoint_url |
1 if private_endpoint_enabled =1 |
- | Private endpoint url to connect with STS service. |
interval |
0 | 300 | Data collection interval. |
sourcetype |
1 | - | Sourcetype of collected data. |
index |
1 | default | Splunk index to ingest data. Default is main. |
metric_index_flag |
0 | No | Whether to use metric index or event index. |
Examples
GET | List of all inputs | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3 |
List specified input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input |
|
POST | Create input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3 -d name=test_sqs_based_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → ,> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value → https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue > -d sqs_batch_size=10 -d s3_file_decoder=CustomLogs -d interval=300 -d sourcetype=test_sourcetype -d index=default |
Edit input | curl -u admin:password https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → |> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value → https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue > -d sqs_batch_size=10 -d s3_file_decoder=Config -d interval=300 -d sourcetype=test_sourcetype -d index=default |
|
DELETE | Delete input | curl -u admin:password -X DELETE https://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input |