Skip to content

Lookups for the Splunk Add-on for AWS

Lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/lookups on *nix systems and %SPLUNK_HOME%\etc\apps\Splunk_TA_aws\lookups on Windows systems. Lookup files map fields from Amazon Web Services (AWS) to CIM-compliant values in the Splunk platform. The Splunk Add-on for AWS has the following lookups:

Lookup name Purpose
aws_config_action_lookup_741.csv Maps the status field to a CIM-compliant value for the action field.
aws_config_object_category_lookup_741.csv Sorts the various AWS Config object categories into CIM-compliant values for the object_category field.
aws_cloudtrail_action_status_741.csv Maps the eventName and errorCode fields to CIM-compliant values for action and status.
aws_cloudtrail_changetype_741.csv Maps the eventSource to a CIM-compliant value for the change_type field.
aws_health_error_type_741.csv Maps ErrorCode to ErrorDetail, ErrorCode, ErrorDetail.
aws_log_sourcetype_modinput_741.csv Maps sourcetype to modinput.
cloudfront_edge_location_lookup_741.csv Maps the x_edge_location value to a human-readable edge_location_name.
aws_vendor_product_aws_cloudtrail_741.csv Defines CIM-compliant values for the vendor, product, and appfields based on the source type.
aws_vpcflow_action_lookup_741.csv Maps the vpcflow_action field to a CIM-compliant action field.
aws_network_traffic_protocol_code_lookup_760.csv Maps the numerical protocol code to a CIM-compliant protocol, transport fields and a human-readable field protocol_full_name.
aws_vm_size_to_resources_741.csv Maps the instance_type field to CIM-compliant cpu_cores, mem_capacity fields.
aws_cloudwatch_guardduty_category_750.csv Defines the value for CIM field category based on subject of the event.
aws_network_traffic_tcp_flags_760.csv Maps the numeric value of tcp flag to pre-defined values of field tcp_flag.