All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

CloudTrail Network Activity events not processed via Generic S3 input

akkermansie
Engager
‎01-14-2026 07:35 AM

We recently enabled Network Activity Events on our Organizational CloudTrail, and the logs are being delivered to an S3 bucket. Despite logs being delivered to S3, Splunk does not process or index these events, and queries return no results. 

The network activity logs are stored in the following path format: AWSLogs/<org_id>/<account_id>/CloudTrail-NetworkActivity/

We are using Splunk version 7.10.0 and don't see any errors in the logs.

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎01-14-2026 02:15 PM

Hi @akkermansie 

Have you set a 'Log File Prefix' in your Generic S3 input? 

I suspect its unrelated to your issue but version 8.1.0 is now available for the AWS Add-on so you may also want to consider upgrading.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

akkermansie
Engager
‎01-15-2026 12:44 AM

We have not configured the log_file_prefix argument and the sourcetype is set to aws:cloudtrail.

I suspect that indexing CloudTrail events directly from an S3 bucket using the aws:cloudtrail sourcetype may only support CloudTrail Management Events. Other event types, such as Data Events or Network Activity events, might not be fully supported in this configuration. But I cannot find anything in the docs about this.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2026 07:48 AM

Have you configured and enabled an input as described in https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudTrail/ ?

P.S. It appears the version 7.10.0 is no longer available to consider upgrading to 7.11.0 or newer.

---
If this reply helps you, Karma would be appreciated.
Reply

akkermansie
Engager
‎01-14-2026 08:44 AM

We are receiving and ingesting the Management events. As described in my first message, the issue is related to ingesting Network Activity.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.ht...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2026 08:59 AM

You need an input to tell Splunk to ingest the Network Activity data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akkermansie
Engager
‎01-14-2026 09:07 AM

Why we would need a new input for this? All of our logs are stored in a single S3 bucket (including Management events and Network activity events).

AWSLogs/<org_id>/<account_id>/CloudTrail/<logs>
AWSLogs/<org_id>/<account_id>/CloudTrail-NetworkActivity/<logs>

If we would create a new input, how would we make sure that input would only process Network Activity events?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2026 11:05 AM

That you are ingesting Management events, but not Network Activity events tells me there is an input defined for the former, but not the latter.  Perhaps this is not the intent, but it is the effect.

Can you share the CloudTrail input(s)?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...