Skip to content

API reference for the Splunk Add-on for AWS

See the following sections for API reference information for the Splunk Add-on for AWS.

Account

https://<host>:<mPort>splunk_ta_aws_aws_account

API for AWS Account settings.

GET, POST, or DELETE

API for AWS Account settings.

Request parameters

Name Type Description
name Boolean true Name
key_id Boolean true Key ID
secret_key Boolean true Secret Key
category Boolean true Region Category
iam Boolean false Identifies EC2 Instance Role

Config inputs

https://<host>:<mPort>aws_config_inputs_rh_ucc

API for the AWS Config input.

GET, POST, or DELETE

API for the AWS Config input.

Request parameters

Name Type Description
name Boolean true Name
aws_account Boolean true AWS Account
aws_region Boolean true AWS Region
sqs_queue Boolean true SQS Queue Name
polling_interval Boolean true Interval
sourcetype Boolean true Sourcetype API for aws:config
index Boolean true Index
enable_additional_notifications Boolean false API for enabling additional notifications.

Description input

https://<host>:<mPort>splunk_ta_aws_aws_description

API for AWS Description inputs.

GET, POST, or DELETE

API for AWS Description inputs.

Request parameters

Name Type Description
name Boolean true Name
account Boolean true AWS Account
aws_iam_role Boolean false Assume role
regions Boolean true AWS Regions
apis Boolean true APIs for the following information:
ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,classic_load_balancers/3600,application_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600,ec2_images/3600,ec2_addresses/3600,lambda_functions/3600,s3_buckets/3600
sourcetype Boolean true Sourcetype API for aws:description
index Boolean true Index

IAM role settings

https://<host>:<mPort>splunk_ta_aws_iam_roles

API for IAM role settings.

GET, POST, or DELETE

API for IAM role settings.

Request parameters

Name Type Description
name Boolean true Name
arn Boolean true Role ARN

Incremental S3 input

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/<incremental_s3_input_name>

API for the AWS Incremental S3 input.

GET, POST, or DELETE

API for the AWS Incremental S3 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
host_name 0 - The host name of the S3 service.
aws_s3_region 0 - The AWS region that contains the S3 bucket.
bucket_name 1 - The AWS S3 bucket name.
log_type 1 - The type of logs to ingest. Available log types are cloudtrail, elb:accesslogs, cloudfront:accesslogs and s3:accesslogs.
log_file_prefix 0 - Configure the prefix of log file, which along with other path elements, forms the URL under which the addon searches the log files.
log_start_date 0 - The start date of the log. Format = %Y-%m-%d.
bucket_region 0 - The AWS region where the S3 bucket exists.
distribution_id 0 - CloudFront distribution id. Specify only when creating input for collecting CloudFront access logs.
max_fails 0 10000 Stop discovering new keys if the number of failed files exceeded max_fails.
max_number_of_process 0 2 Maximum number of processes.
max_number_of_thread 0 4 Maximum number of threads.
max_retries 0 |-1 Max number of retries to collect data upon failing requests. Specify -1 to retry until success.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify 0 to disable, or 1 to enable.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the S3 service.
sts_private_endpoint_enabled 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the STS service.
interval 0 1800 Data collection interval, in seconds.
sourcetype 0 aws:s3 Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs-d name=test_incremental_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d host_name=s3.amazonaws.com -d aws_s3_region=ap-south-1 -d bucket_name=testing-bucket-05 -d log_type=<encode from actual value → s3:accesslogs> -d log_file_prefix=test-prefix -d log_start_date=2023-01-01 -d bucket_region=ap-south-1 -d interval=1800 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_logs/test_incremental_s3_input

Inspector input

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/<inspector_input_name>

API for the Amazon Inspector input.

GET, POST, or DELETE

API for the Amazon Inspector input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
regions 1 - AWS regions that contain your data. Enter region IDs in a comma-separated list.
polling_interval 1 300 Data collection interval, in seconds.
sourcetype 0 aws:kinesis Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector-d name=test_inspector_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector/test_inspector_input

Inspector V2 input

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/<inspector_v2_input_name>

API for the Amazon Inspector V2 input.

GET, POST, or DELETE

API for the Amazon Inspector V2 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
regions 1 - AWS regions that contain your data. Enter region IDs in a comma-separated list.
polling_interval 1 300 Data collection interval, in seconds.
sourcetype 0 aws:kinesis Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2-d name=test_inspector_v2_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-2> -d polling_interval=600 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_inspector_v2/test_inspector_v2_input

Kinesis input

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/<kinesis_input_name>

API for the AWS Kinesis input.

GET, POST, or DELETE

API for the AWS Kinesis input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
region 1 - AWS region for Kinesis stream.
stream_names 1 - Kinesis stream names in a comma-separated list. Leave empty to collect all streams.
init_stream_position 0 LATEST Stream position from where to start collecting data. Specify either TRIM_HORIZON (starting) or LATEST (recent live data).
encoding 0 - Encoding of stream data. Set to gzip or leave blank, which defaults to Base64.
format 0 - Format of the collected data. Specify CloudWatchLogs or leave empty.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify 0 to disable, or 1 to enable.
kinesis_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the Kinesis service.
sts_private_endpoint_enabled 1 if private_endpoint_enabled=1 - Private endpoint url to connect with the STS service.
sourcetype 0 aws:kinesis Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis-d name=test_kinesis_input -d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=LATEST -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input-d account=test_account -d aws_iam_role=test_iam_role -d region=ap-south-1 -d stream_names=test-stream -d init_stream_position=TRIM_HORIZON -d encoding=gzip -d format=CloudwatchLogs -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_kinesis/test_kinesis_input

S3 input

https://<host>:<mPort>splunk_ta_aws_aws_s3

API for the AWS S3 input.

GET, POST, or DELETE

API for the AWS S3 input.

Request parameters

Name Type Description
name Boolean true Name
aws_account Boolean true AWS Account
aws_iam_role Boolean false Assume role
host_name Boolean true S3 host name
bucket_name Boolean true S3 bucket name
key_name Boolean false S3 key prefix
initial_scan_datetime Boolean false Start date/time.
blacklist Boolean false Blacklist
whitelist Boolean false Whitelist
polling_interval Boolean true Interval.
sourcetype Boolean true Sourcetype API for aws:cloudtrail, aws:s3:accesslogs, aws:cloudfront:accesslogs, and aws:elb:accesslogs.
index Boolean true Index

Metadata input

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/<metadata_input_name>

API for the AWS Metadata input.

GET, POST, or DELETE

API for the AWS Metadata input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
regions 1 - AWS regions from where to get data, split by ‘,’.
apis 1 - APIs to collect data with, and intervals for each API, in the format of /. For example, ec2_instances/3600, kinesis_stream/3600.
sourcetype 0 aws:metadata Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata-d name=test_metadata_input -d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input-d account=test_account -d aws_iam_role=test_iam_role -d regions=<encode from actual value → ap-northeast-1,ap-south-1,ap-northeast-3> -d apis=<encode from actual value → ec2_instanes/3600, lambda_functions/3600, s3_buckets/3600> -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_metadata/test_metadata_input

SQS input

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/<sqs_input_name>

API for the AWS SQS input.

GET, POST, or DELETE

API for the AWS SQS input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
aws_region 0 - List of AWS regions containing SQS queues.
sqs_queues 1 - AWS SQS queue names list, split by “,”.
interval 1 30 Data collection interval.
sourcetype 1 - Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs-d name=test_sqs_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d aws_region=<encode from actual value → ["ap-south-1","ap-northeast-1"]> -d sqs_queues=<encode from actual value → ["test-queue-1,test-queue-2","test-queue-3,test-queue-4"]> -d interval=30 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_splunk_ta_aws_sqs/test_sqs_input

SQS-based S3 input

https://<host>:<mPort>splunk_ta_aws_aws_sqs_based_s3

https://<host>:<mgmt_port>/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/<sqs_based_s3_input_name>

API for the AWS SQS-based S3 input.

GET, POST, or DELETE

API for the AWS SQS-based S3 input.

Request URL parameters

Parameter Default Description
output_mode - If output_mode=json, response is returned in JSON format.

Request body parameters

Parameter Required Default value Description
name 1 - Unique name for input.
aws_account 1 - AWS account name.
aws_iam_role 0 - AWS IAM role.
using_dlq 0 1 Specify either 0 or 1 to disable or enable checking for dead letter queue (DLQ).
sqs_sns_validation 0 1 Enable or disable SNS signature validation. Specify either 0 or 1.
parse_csv_with_header 0 0 Enable parsing of CSV data with header. First line of file will be considered as header. Specify either 0 or 1.
parse_csv_with_delimiter 0 , Enable parsing of CSV data by chosen delimiter. Specify delimiter for parsing csv file.
sqs_queue_region 1 - Name of the AWS region in which the notification queue is located.
sqs_queue_url 1 - Name of SQS queue to which notifications of S3 file(s) creation are sent.
sqs_batch_size 0 10 Max number of messages to pull from SQS in one batch.
s3_file_decoder 1 - Name of a decoder which decodes files into events: CloudTrail, Config, S3 Access Logs, ELB Access Logs, CloudFront Access Logs, and CustomLogs.
private_endpoint_enabled 0 - Whether to use private endpoint. Specify either 0 or 1.
sqs_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with SQS service.
s3_private_endpoint_url 1 if private_endpoint_enabled=1 - Private endpoint url to connect with s3 service.
sts_private_endpoint_enabled 1 if private_endpoint_enabled=1 - Private endpoint url to connect with STS service.
interval 0 300 Data collection interval.
sourcetype 1 - Sourcetype of collected data.
index 1 default Splunk index to ingest data. Default is main.

Examples

GET List of all inputs curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3
List specified input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input
POST Create input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3-d name=test_sqs_based_s3_input -d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → ,> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value →https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue> -d sqs_batch_size=10 -d s3_file_decoder=CustomLogs -d interval=300 -d sourcetype=test_sourcetype -d index=default
Edit input curl -u admin:passwordhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input-d aws_account=test_account -d aws_iam_role=test_iam_role -d using_dlq=1 -d sqs_sns_validation=1 -d parse_csv_with_header=1 -d parse_csv_with_delimiter=<encode from actual value → |> -d sqs_queue_region=ap-south-1 -d sqs_queue_url=<encode from actual value →https://sqs.ap-south-1.amazonaws.com/123456789012/test-queue> -d sqs_batch_size=10 -d s3_file_decoder=Config -d interval=300 -d sourcetype=test_sourcetype -d index=default
DELETE Delete input curl -u admin:password -X DELETEhttps://localhost:8089/servicesNS/nobody/Splunk_TA_aws/splunk_ta_aws_aws_sqs_based_s3/test_sqs_based_s3_input