Splunk Cloud Platform

AWS S3 to Splunk re-ingestion from failed Firehose sends.

magagm
New Member

Hello!

I am following this documentation and I am keen on re-ingestion of Failed AWS Firehose requests out via AWS SNS/SQS service using the Splunk AWS Add-On.

https://www.splunk.com/en_us/blog/tips-and-tricks/aws-firehose-to-splunk-two-easy-ways-to-recover-th...

Problem:

When I receive a failure message from Firehose, my lambda code strips the Kinesis meta data from to the original format. Now, if I send this to splunk  (through the way the above document guides i.e. SNS/SQS and then Splunk AWS Add-On), it does not do the correct parsing at sourcetype level.

I would like an example of what the request that is sent through the AWS SNS/SQS and Splunk AWS Add-On is supposed to look like to get over the parsing issue at sourcetype level.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...