Source types for the Splunk Add-on for AWS¶
The Splunk Add-on for Amazon Web Services (AWS) provides the index-time and search-time knowledge for alerts, events, and performance metrics. Source types and event types map the Amazon Web Service data to the Splunk Common Information Model (CIM)
See Troubleshoot the Splunk Add-on for AWS to find source types for internal logs.
See the following table for source types and event types for AWS data mapping:
Pull-based API data collection sourcetypes¶
Data type |
Source type |
Description |
Supported input types |
Data models |
|---|---|---|---|---|
Billing |
|
|
Billing (Cost and Usage Report) Billing (Legacy) |
|
CloudFront Access Logs |
|
Represents CloudFront Access Logs. |
SQS-based S3 Generic S3 Incremental S3 |
|
CloudTrail |
|
Represents AWS API call history from the AWS CloudTrail service. |
SQS-based S3 CloudTrail Generic S3 Incremental S3 |
|
CloudWatch |
|
Represents performance and billing metrics from the AWS CloudWatch service. |
CloudWatch |
|
CloudWatch Logs |
|
|
Kinesis CloudWatch Logs |
|
Config |
|
|
SQS-based S3 AWS Config |
|
Config Rules |
|
Represents compliance details, compliance summary, and evaluation status of your AWS Config Rules. |
Config Rules |
|
Delimited Files |
|
Represents delimited files (CSV, PSV, TSV file extensions). Provides index-time timestamp for events. |
SQS-based S3 Generic S3 |
|
ELB Access Logs |
|
Represents ELB Access Logs. |
SQS-based S3 Generic S3 Incremental S3 |
|
Inspector |
|
|
Inspector Inspector (v2) |
|
Metadata |
|
Descriptions of your AWS EC2 instances, reserved instances, and EBS snapshots. |
Metadata |
|
S3 |
|
Represents generic log data from your S3 buckets. |
Generic S3 Incremental S3 SQS-based S3 |
|
S3 Access Logs |
|
Represents S3 Access Logs. |
SQS-based S3 Generic S3 Incremental S3 |
|
Amazon Security Lake |
aws:asl |
|
SQS-based S3 |
|
SQS |
|
Represents generic data from SQS. |
SQS |
|
VPC Flow Logs |
|
Represents VPC Flow Logs. |
SQS-based S3 Kinesis |
|
CloudTrail Lake |
|
Represents JSON data from cloudtrail lake event data store. |
CloudTrail Lake |
|
GuardDuty Events |
|
Represents GuardDuty Events. |
Cloudwatch Logs |
|
Transit Gateway Flow Logs |
|
Represents Transit Gateway Flow Logs. |
SQS-based S3 |
|
Push-based Amazon Kinesis Firehose data collection sourcetypes¶
The Splunk Add-on for Amazon Web Services provides knowledge management for the following Amazon Kinesis Firehose source types:
Data source |
Source type |
CIM compliance |
Description |
|---|---|---|---|
CloudTrail events |
|
AWS API call history from the AWS CloudTrail service, delivered
as CloudWatch events. For CloudTrail events embedded within CloudWatch
events, override the source name optional field
|
|
CloudWatch events |
|
None |
Data from CloudWatch. You can extract CloudTrail events embedded within CloudWatch events with this sourcetype as well. |
GuardDuty events |
|
GuardDuty events from CloudWatch. For GuardDuty events embedded
within CloudWatch events, override the source name optional field with
|
|
Amazon Identity and Access Management (IAM) Access Analyzer events |
|
None |
Using Eventbridge event bus to ingest the events, set the source
to |
Amazon Kinesis Firehose JSON data |
|
None |
Any JSON formatted Firehose data. |
Amazon Kinesis Firehose text data |
|
None |
Firehose raw text format. |
AWS Security Hub |
|
Collect events from AWS Security Hub. For AWS Security Hub events
embedded within AWS CloudWatch events, override the source name optional
field with |
|
VPC Flow Logs |
|
VPC Flow Logs from CloudWatch. When ingesting CloudWatch logs,
set the Lambda buffering size to 1 MB. See data
transformation flow in the Amazon Kinesis Firehose documentation for
more information. |
|
Transit Gateway Flow Logs |
|
Collect Transit Gateway Flow Logs through HEC. |