Below is the document we followed to set up guard duty logs to be pushed into splunk.We have configured the HEC token on our heavy forwarder and we are not seeing any data
https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-...