Source types for the Splunk Add-on for AWS¶
The Splunk Add-on for Amazon Web Services (AWS) provides the index-time and search-time knowledge for alerts, events, and performance metrics. Source types and event types map the Amazon Web Service data to the Splunk Common Information Model (CIM)
See Troubleshoot the Splunk Add-on for AWS to find source types for internal logs.
See the following table for source types and event types for AWS data mapping:
Pull-based API data collection sourcetypes¶
| Data type | Source type | Description | Supported input types | Data models |
|---|---|---|---|---|
| Billing | aws:billing aws:billing:cur |
aws:billing represents billing reports that you have configured in AWS. aws:billing:cur represents cost and usage reports. |
Billing (Cost and Usage Report) Billing (Legacy) |
|
| CloudFront Access Logs | aws:cloudfront:accesslogs |
Represents CloudFront Access Logs. | SQS-based S3 Generic S3 Incremental S3 |
|
| CloudTrail | aws:cloudtrail |
Represents AWS API call history from the AWS CloudTrail service. | SQS-based S3 CloudTrail Generic S3 Incremental S3 |
|
| CloudWatch | aws:cloudwatch |
Represents performance and billing metrics from the AWS CloudWatch service. | CloudWatch |
|
| CloudWatch Logs | aws:cloudwatchlogsaws:cloudwatchlogs:vpcflowaws:cloudwatchlogs:vpcflow:metric |
aws:cloudwatchlogs represents generic data from the CloudWatch Logs service. aws:cloudwatchlogs:vpcflow represents VPC flow logs from the CloudWatch Logs service.aws:cloudwatchlogs:vpcflow:metric represents VPC Flow Logs metric data from the CloudWatch Logs service. |
Kinesis CloudWatch Logs |
|
| Config | aws:config aws:config:notification |
aws:config represents real time and historical configuration snapshots. aws:config:notification represents configuration change notifications. |
SQS-based S3 AWS Config |
|
| Config Rules | aws:config:rule |
Represents compliance details, compliance summary, and evaluation status of your AWS Config Rules. | Config Rules |
|
| Delimited Files | aws:s3:csv |
Represents delimited files (CSV, PSV, TSV file extensions, Single Space Seperated files). Provides index-time timestamp for events. | SQS-based S3 Generic S3 |
|
| ELB Access Logs | aws:elb:accesslogs |
Represents ELB Access Logs. | SQS-based S3 Generic S3 Incremental S3 |
|
| Inspector | aws:inspector >aws:inspector:v2:findings |
aws:inspector Represents assessments, runs, and findings data from the Amazon Inspector service. aws:inspector:v2:findings Represents findings data from the Amazon Inspector service. |
Inspector Inspector (v2) |
|
| Metadata | aws:metadata |
Descriptions of your AWS EC2 instances, reserved instances, and EBS snapshots. | Metadata |
|
| S3 | aws:s3 |
Represents generic log data from your S3 buckets. | Generic S3 Incremental S3 SQS-based S3 |
|
| S3 Access Logs | aws:s3:accesslogs |
Represents S3 Access Logs. | SQS-based S3 Generic S3 Incremental S3 |
|
| Amazon Security Lake | aws:asl |
aws:asl represents AWS API dataset data collection from Amazon Security Lake. |
SQS-based S3 |
|
| SQS | aws:sqs |
Represents generic data from SQS. | SQS |
|
| VPC Flow Logs | aws:cloudwatchlogs:vpcflow aws:cloudwatchlogs:vpcflow:metric |
Represents VPC Flow Logs. | SQS-based S3 Kinesis Cloudwatch Logs |
|
| CloudTrail Lake | aws:cloudtrail:lake |
Represents JSON data from cloudtrail lake event data store. | CloudTrail Lake |
|
| GuardDuty Events | aws:cloudwatchlogs:guardduty |
Represents GuardDuty Events. | Cloudwatch Logs |
|
| Transit Gateway Flow Logs | aws:transitgateway:flowlogs |
Represents Transit Gateway Flow Logs. | SQS-based S3 |
|
Push-based Amazon Kinesis Firehose data collection sourcetypes¶
The Splunk Add-on for Amazon Web Services provides knowledge management for the following Amazon Kinesis Firehose source types:
| Data source | Source type | CIM compliance | Description |
|---|---|---|---|
| CloudTrail events | aws:cloudtrail |
Change, Authentication | AWS API call history from the AWS CloudTrail service, delivered as CloudWatch events. For CloudTrail events embedded within CloudWatch events, override the source name optional field aws_firehose_cloudtrail in the HTTP Event Collector (HEC) token for index-time field extractions. Change data model includes the Network dataset for some fields. |
| CloudWatch events | aws:firehose:cloudwatchevents |
None | Data from CloudWatch. You can extract CloudTrail events embedded within CloudWatch events with this sourcetype as well. |
| GuardDuty events | aws:cloudwatch:guardduty |
Alerts, Intrusion Detection | GuardDuty events from CloudWatch. For GuardDuty events embedded within CloudWatch events, override the source name optional field with aws_cloudwatchevents_guardduty in the HEC token for index-time field extractions. |
| Amazon Identity and Access Management (IAM) Access Analyzer events | aws:accessanalyzer:finding |
None | Using Eventbridge event bus to ingest the events, set the source to aws_eventbridgeevents_iam_aa when configuring the HEC token. |
| Amazon Kinesis Firehose JSON data | aws:firehose:json |
None | Any JSON formatted Firehose data. |
| Amazon Kinesis Firehose text data | aws:firehose:text |
None | Firehose raw text format. |
| AWS Security Hub | aws:securityhub:finding |
Alerts | Collect events from AWS Security Hub. For AWS Security Hub events embedded within AWS CloudWatch events, override the source name optional field with aws_cloudwatchevents_securityhub in the HEC token for index-time field extractions. |
| VPC Flow Logs | aws:cloudwatchlogs:vpcflow aws:cloudwatchlogs:vpcflow:metric |
Network Traffic | VPC Flow Logs from CloudWatch. When ingesting CloudWatch logs, set the Lambda buffering size to 1 MB. See data transformation flow in the Amazon Kinesis Firehose documentation for more information. See the example Kinesis Firehose lambda function to remove the JSON wrapper around VPC Flow Logs before it reaches Splunk |
| Transit Gateway Flow Logs | aws:transitgateway:flowlogs |
Network Traffic | Collect Transit Gateway Flow Logs through HEC. |