Getting Splunk to correctly read custom AWS VPC fl...

Getting Data In

Hello All,

I recently started ingesting vac flow logs from my AWS environment using the data manager app, and everything works fine in terms of getting the logs into splunk.

There is however one issue, when creating the VPC flow logs on AWS, we opted for a custom format to be able to glean additional fields like the "pkt-srcaddr" and pat-dstaddr". As a result of this, Splunk does not correctly interpret the logs on the console. I believe that Splunk is reading the logs using the default log format detailed below:

Default Format:
${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}

how do I get it to read the logs using the custom format detailed below:

Custom Format
${version} ${account-id} ${vpc-id} ${subnet-id} ${interface-id} ${instance-id} ${flow-direction} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${pkt-srcaddr} ${pkt-dstaddr} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}

Get Updates on the Splunk Community!

Getting Splunk to correctly read custom AWS VPC flow logs

field extraction

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation