Lookups for the Splunk Add-on for AWS¶
Lookup files are located in
$SPLUNK_HOME/etc/apps/Splunk_TA_aws/lookups on *nix systems and
%SPLUNK_HOME%\etc\apps\Splunk_TA_aws\lookups on Windows systems.
Lookup files map fields from Amazon Web Services (AWS) to CIM-compliant
values in the Splunk platform. The Splunk Add-on for AWS has the
following lookups:
| Lookup name | Purpose |
|---|---|
| aws_config_action_lookup_741.csv | Maps the status field to a CIM-compliant value for the action field. |
| aws_config_object_category_lookup_741.csv | Sorts the various AWS Config object categories into CIM-compliant values for the object_category field. |
| aws_cloudtrail_action_status_7100.csv | Maps the eventName and errorCode fields to CIM-compliant values for action and status. |
| aws_cloudtrail_changetype_7100.csv | Maps the eventSource to a CIM-compliant value for the change_type field. |
| aws_health_error_type_741.csv | Maps ErrorCode to ErrorDetail, ErrorCode, ErrorDetail. |
| aws_log_sourcetype_modinput_741.csv | Maps sourcetype to modinput. |
| cloudfront_edge_location_lookup_741.csv | Maps the x_edge_location value to a human-readable edge_location_name. |
| aws_vendor_product_aws_cloudtrail_741.csv | Defines CIM-compliant values for the vendor, product, and appfields based on the source type. |
| aws_vpcflow_action_lookup_741.csv | Maps the vpcflow_action field to a CIM-compliant action field. |
| aws_network_traffic_protocol_code_lookup_760.csv | Maps the numerical protocol code to a CIM-compliant protocol, transport fields and a human-readable field protocol_full_name. |
| aws_vm_size_to_resources_741.csv | Maps the instance_type field to CIM-compliant cpu_cores, mem_capacity fields. |
| aws_cloudwatch_guardduty_category_750.csv | Defines the value for CIM field category based on subject of the event. |
| aws_network_traffic_tcp_flags_760.csv | Maps the numeric value of tcp flag to pre-defined values of field tcp_flag. |