All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to source as logStreamName using splunk-cloudwatch-logs-processor lambda blueprint?

ehorwood
Explorer
‎05-03-2017 01:14 PM

Hi,

I've been trying to configure the Lambda function splunk-cloudwatch-logs-processor from the Splunk blog article: how-to-easily-stream-aws-cloudwatch-logs-to-splunk/

But when the logs are being pushed into splunk the source is either the lambda function name or lambda:undefined
Which means all of the logs from the LogGroup are pushed into one undefinable mess. Can't tell the difference between the LogStreams within the LogGroup.

I can use the following to edit the source as "test"

       logger.logEvent({
           time: item.timestamp, 
           event: item.message, 
           source: "test",
       });

But I want the source to be the logstreamname where the logs are getting pushed into splunk. Similar to how the Cloudwatch logs input on the AWS app works.
Something like:

           logger.logEvent({
               time: item.timestamp, 
               event: item.message, 
               source: item.logStreamName,
           });

But i've tried this and also parsed.logSteamName and various combinations of context.logStreamName /logStream/Stream etc.

Any help appreciated.

Thanks,

Labels (1)
Labels
Tags (3)
0 Karma
Reply

gprice
Engager
‎08-07-2018 09:36 AM

If you have logging enabled for your lambda function, you should be able to see the names of the fields available. When looking at them, remember it will be broken down by a header section and then a list of items. The context for item is limited to the scope of that log line, but the payload you are currently working in has a scope in the javascript of parsed. For my use case, I found that I was looking for parsed.logGroup to get the name of the log group as it appears in CloudWatch to appear as my source.

Hope this is still relevant to you, or others!

Reply

dsenapaty
Explorer
‎01-18-2023 07:16 AM

@gprice this worked for me perfectly. thanks for your answer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...