All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

New Field in Amazon S3 Server Access Logs - possible impact to Splunk_TA_aws

staten
Engager
‎01-20-2026 07:28 AM

We recently received the following notification from AWS ... I'm sharing in case changes to the Splunk_TA_aws are needed in order to exploit this additional field.


--------------

From: Amazon Web Services <health@aws.com>
Date: Saturday, January 17, 2026 at 2:27 PM
Subject: Action May Be Required] New Field in Amazon S3 Server Access Logs

Hello,

We are contacting you because your AWS Account uses Amazon S3 Server Access Logging. In the coming months, we will add a new "source region" field at the end of Server Access Log records. This will provide visibility into the AWS Region from which requests to your data originate.

Required Action: If you parse S3 Server Access Logs programmatically, please verify that your parsing logic can handle additional fields at the end of log records.

This change follows our documented approach of extending log records by adding new fields at the end of each line. If your log parsing logic is implemented according to these practices, this change should not impact your existing workflows.

For more information about S3 Server Access Logs format and best practices, refer to our documentation. https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎01-21-2026 01:45 AM

Hi @staten 

Currently the transform for extracting this data from S3 access logs is aws_s3_accesslogs_extract_all_fields which has the following regex:

^\s*(?P<bucket_owner>\S+)(\s+(?P<bucket_name>\S+))(\s+\[(?P<request_time>[\w\/\s:+]+)\])(\s+(?P<remote_ip>\S+))(\s+(?P<requester>\S+))(\s+(?P<request_id>\S+))(\s+(?P<operation>\S+))(\s+(?P<key>\S+))(\s+(?:"?)(?<request_uri>[-]|([^"]+))(?:"?))(\s+(?P<http_status>\S+))(\s+(?P<error_code>\S+))(\s+(?P<bytes_sent>\S+))(\s+(?P<object_size>\S+))(\s+(?P<total_time>\S+))(\s+(?P<turn_around_time>\S+))(\s+(?:"?)(?<referrer>[-]|([^"]+))(?:"?))(\s+(?:"?)(?<user_agent>[-]|([^"]+))(?:"?))(\s+(?P<version_id>\S+))(\s+(?P<host_id>\S+))?(\s+(?P<signature_version>\S+))?(\s+(?P<cipher_suite>\S+))?(\s+(?P<authentication_type>\S+))?(\s+(?P<host_header>\S+))?(\s+(?P<tls_version>\S+))?(\s+(?P<access_point_arn>\S+))?(\s+(?P<acl_required>\S+))?

Thankfully an additional field at the end of the log for 'source region' will not break the existing regex (See https://regex101.com/r/I5fTqF/1 ) so it should not prevent any existing extractions, but to your question around extractions needed to utilise this new field, this is something that would need to come with an updated version of the TA. 

Given that this announcement came in the last few days (I also received it at the weekend) its unsurprising that the TA has not yet been updated and actually I wouldnt necessarily expect the TA to be updated until the change by AWS has been rolled out as it will need to be adequately tested against the new log format before release. 

If I was you I would be tempted to log a support case with Splunk about this as they maintain and support the plugin to ensure that these changes are on their roadmap, and they might be able to give an indication as to when the changes will reach the app.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution

staten
Engager
‎01-26-2026 01:36 PM

Support case opened and under review.

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎01-21-2026 01:45 AM

Hi @staten 

Currently the transform for extracting this data from S3 access logs is aws_s3_accesslogs_extract_all_fields which has the following regex:

^\s*(?P<bucket_owner>\S+)(\s+(?P<bucket_name>\S+))(\s+\[(?P<request_time>[\w\/\s:+]+)\])(\s+(?P<remote_ip>\S+))(\s+(?P<requester>\S+))(\s+(?P<request_id>\S+))(\s+(?P<operation>\S+))(\s+(?P<key>\S+))(\s+(?:"?)(?<request_uri>[-]|([^"]+))(?:"?))(\s+(?P<http_status>\S+))(\s+(?P<error_code>\S+))(\s+(?P<bytes_sent>\S+))(\s+(?P<object_size>\S+))(\s+(?P<total_time>\S+))(\s+(?P<turn_around_time>\S+))(\s+(?:"?)(?<referrer>[-]|([^"]+))(?:"?))(\s+(?:"?)(?<user_agent>[-]|([^"]+))(?:"?))(\s+(?P<version_id>\S+))(\s+(?P<host_id>\S+))?(\s+(?P<signature_version>\S+))?(\s+(?P<cipher_suite>\S+))?(\s+(?P<authentication_type>\S+))?(\s+(?P<host_header>\S+))?(\s+(?P<tls_version>\S+))?(\s+(?P<access_point_arn>\S+))?(\s+(?P<acl_required>\S+))?

Thankfully an additional field at the end of the log for 'source region' will not break the existing regex (See https://regex101.com/r/I5fTqF/1 ) so it should not prevent any existing extractions, but to your question around extractions needed to utilise this new field, this is something that would need to come with an updated version of the TA. 

Given that this announcement came in the last few days (I also received it at the weekend) its unsurprising that the TA has not yet been updated and actually I wouldnt necessarily expect the TA to be updated until the change by AWS has been rolled out as it will need to be adequately tested against the new log format before release. 

If I was you I would be tempted to log a support case with Splunk about this as they maintain and support the plugin to ensure that these changes are on their roadmap, and they might be able to give an indication as to when the changes will reach the app.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...