Getting Splunk to correctly read custom AWS VPC fl...

Getting Data In

Hello All,

I recently started ingesting vac flow logs from my AWS environment using the data manager app, and everything works fine in terms of getting the logs into splunk.

There is however one issue, when creating the VPC flow logs on AWS, we opted for a custom format to be able to glean additional fields like the "pkt-srcaddr" and pat-dstaddr". As a result of this, Splunk does not correctly interpret the logs on the console. I believe that Splunk is reading the logs using the default log format detailed below:

Default Format:
${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}

how do I get it to read the logs using the custom format detailed below:

Custom Format
${version} ${account-id} ${vpc-id} ${subnet-id} ${interface-id} ${instance-id} ${flow-direction} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${pkt-srcaddr} ${pkt-dstaddr} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}

Get Updates on the Splunk Community!

Getting Splunk to correctly read custom AWS VPC flow logs

field extraction

sourcetype

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Are you a member of the Splunk Community?