Yes, Lambda function would take care of uncompressing the ALB logs, parsing each line, and send the raw line events in batches to HEC. Here's a snippet of a working code, where logger is a simple HEC client library you can find from Splunk Lambda blueprints in AWS Lambda console, and payload is the retrieved log.gz file from s3.
zlib.gunzip(payload, (err, result) => {
if (err) {
console.log(err);
callback(err);
} else {
const parsed = result.toString('ascii');
const logEvents = parsed.split("\n");
let count = 0, time;
if (logEvents) {
logEvents.forEach((event) => {
if (event) {
// Extract timestamp as 2nd field in log entry
// For more details: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-log-entry-format
time = event.split(' ')[1];
// Forward with source-specified timestamp
// (optional 'context' arg used to add Lambda metadata e.g. awsRequestId, functionName)
logger.logWithTime(time, event, context);
count += 1;
}
});
console.log(`Processed ${count} log entries`);
}
logger.flushAsync((err, response) => {
if (err) {
callback(err);
} else {
console.log(`Response from Splunk:\n${response}`);
callback(null, count); // Echo number of events forwarded
}
});
}
})
... View more