Skip to content

Source types for the Splunk Add-on for AWS

The Splunk Add-on for Amazon Web Services (AWS) provides the index-time and search-time knowledge for alerts, events, and performance metrics. Source types and event types map the Amazon Web Service data to the Splunk Common Information Model (CIM)

See Troubleshoot the Splunk Add-on for AWS to find source types for internal logs.

See the following table for source types and event types for AWS data mapping:

Pull-based API data collection sourcetypes

Data type

Source type

Description

Supported input types

Data models

Billing

aws:billing aws:billing:cur

aws:billing represents billing reports that you have configured in AWS. aws:billing:cur represents cost and usage reports.

Billing (Cost and Usage Report) Billing (Legacy)

  • CIM: None
  • ES Custom: None
  • ITSI: None

CloudFront Access Logs

aws:cloudfront:accesslogs

Represents CloudFront Access Logs.

SQS-based S3 Generic S3 Incremental S3

  • CIM: None
  • ES Custom: None
  • ITSI: None

CloudTrail

aws:cloudtrail

Represents AWS API call history from the AWS CloudTrail service.

SQS-based S3 CloudTrail Generic S3 Incremental S3

CloudWatch

aws:cloudwatch

Represents performance and billing metrics from the AWS CloudWatch service.

CloudWatch

CloudWatch Logs

aws:cloudwatchlogs aws:cloudwatchlogs:vpcflow aws:cloudwatchlogs:vpcflow:metric

aws:cloudwatchlogs represents generic data from the CloudWatch Logs service. aws:cloudwatchlogs:vpcflow represents VPC flow logs from the CloudWatch Logs service. aws:cloudwatchlogs:vpcflow:metric represents VPC Flow Logs metric data from the CloudWatch Logs service.

Kinesis CloudWatch Logs

  • CIM: Network Traffic, but only for aws:cloudwatchlogs:vpcflow
  • ES Custom: None
  • ITSI: None

Config

aws:config aws:config:notification

aws:config represents real time and historical configuration snapshots. aws:config:notification represents configuration change notifications.

SQS-based S3 AWS Config

Config Rules

aws:config:rule

Represents compliance details, compliance summary, and evaluation status of your AWS Config Rules.

Config Rules

Delimited Files

aws:s3:csv

Represents delimited files (CSV, PSV, TSV file extensions, Single Space Seperated files). Provides index-time timestamp for events.

SQS-based S3 Generic S3

  • CIM: None
  • ES Custom: None
  • ITSI: None

ELB Access Logs

aws:elb:accesslogs

Represents ELB Access Logs.

SQS-based S3 Generic S3 Incremental S3

  • CIM: None
  • ES Custom: None
  • ITSI: None

Inspector

aws:inspector aws:inspector:v2:findings

aws:inspectorRepresents assessments, runs, and findings data from the Amazon Inspector service. aws:inspector:v2:findingsRepresents findings data from the Amazon Inspector service.

Inspector Inspector (v2)

Metadata

aws:metadata

Descriptions of your AWS EC2 instances, reserved instances, and EBS snapshots.

Metadata

S3

aws:s3

Represents generic log data from your S3 buckets.

Generic S3 Incremental S3 SQS-based S3

  • CIM: None
  • ES Custom: None
  • ITSI: None

S3 Access Logs

aws:s3:accesslogs

Represents S3 Access Logs.

SQS-based S3 Generic S3 Incremental S3

  • CIM: Web
  • ES Custom: None
  • ITSI: None

Amazon Security Lake

aws:asl

aws:asl represents AWS API dataset data collection from Amazon Security Lake.

SQS-based S3

  • CIM: None
  • ES Custom: None
  • ITSI: None

SQS

aws:sqs

Represents generic data from SQS.

SQS

  • CIM: None
  • ES Custom: None
  • ITSI: None

VPC Flow Logs

aws:cloudwatchlogs:vpcflow aws:cloudwatchlogs:vpcflow:metric

Represents VPC Flow Logs.

SQS-based S3 Kinesis
Cloudwatch Logs

CloudTrail Lake

aws:cloudtrail:lake

Represents JSON data from cloudtrail lake event data store.

CloudTrail Lake

  • CIM: None
  • ES Custom: None
  • ITSI: None

GuardDuty Events

aws:cloudwatchlogs:guardduty

Represents GuardDuty Events.

Cloudwatch Logs

Transit Gateway Flow Logs

aws:transitgateway:flowlogs

Represents Transit Gateway Flow Logs.

SQS-based S3

Push-based Amazon Kinesis Firehose data collection sourcetypes

The Splunk Add-on for Amazon Web Services provides knowledge management for the following Amazon Kinesis Firehose source types:

Data source

Source type

CIM compliance

Description

CloudTrail events

aws:cloudtrail

Change, Authentication

AWS API call history from the AWS CloudTrail service, delivered as CloudWatch events. For CloudTrail events embedded within CloudWatch events, override the source name optional field aws_firehose_cloudtrail in the HTTP Event Collector (HEC) token for index-time field extractions. Change data model includes the Network dataset for some fields.

CloudWatch events

aws:firehose:cloudwatchevents

None

Data from CloudWatch. You can extract CloudTrail events embedded within CloudWatch events with this sourcetype as well.

GuardDuty events

aws:cloudwatch:guardduty

Alerts, Intrusion Detection

GuardDuty events from CloudWatch. For GuardDuty events embedded within CloudWatch events, override the source name optional field with aws_cloudwatchevents_guardduty in the HEC token for index-time field extractions.

Amazon Identity and Access Management (IAM) Access Analyzer events

aws:accessanalyzer:finding

None

Using Eventbridge event bus to ingest the events, set the source to aws_eventbridgeevents_iam_aa when configuring the HEC token.

Amazon Kinesis Firehose JSON data

aws:firehose:json

None

Any JSON formatted Firehose data.

Amazon Kinesis Firehose text data

aws:firehose:text

None

Firehose raw text format.

AWS Security Hub

aws:securityhub:finding

Alerts

Collect events from AWS Security Hub. For AWS Security Hub events embedded within AWS CloudWatch events, override the source name optional field with aws_cloudwatchevents_securityhub in the HEC token for index-time field extractions.

VPC Flow Logs

aws:cloudwatchlogs:vpcflow aws:cloudwatchlogs:vpcflow:metric

Network Traffic

VPC Flow Logs from CloudWatch. When ingesting CloudWatch logs, set the Lambda buffering size to 1 MB. See data transformation flow in the Amazon Kinesis Firehose documentation for more information.
See the example Kinesis Firehose lambda function to remove the JSON wrapper around VPC Flow Logs before it reaches Splunk: https://github.com/ranjitkk/ranjit_aws_repo_public/blob/main/Splunk_FlowLogs_Firehose_processor.py.

Transit Gateway Flow Logs

aws:transitgateway:flowlogs

Network Traffic

Collect Transit Gateway Flow Logs through HEC.