CINXE.COM

Ingesting AWS S3 data written by ingest actions - Splunk Lantern

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ingesting AWS S3 data written by ingest actions - Splunk Lantern</title> <link media="screen" type="text/css" rel="stylesheet" href="https://a.mtstatic.com/@cache/layout/legacy.css?_=814adc7572602bc7c2a39e3e9899638a_bGFudGVybi5zcGx1bmsuY29t:site_13743" id="mt-screen-css" /> <link media="print" type="text/css" rel="stylesheet" href="https://a.mtstatic.com/@cache/layout/print.css?_=a87985e947b3b92ebec6cfe4689bceb3:site_13743" id="mt-print-css" /> <script type="text/javascript" nonce="f2b0f5cf2b64bf0ba4b0ff4198771540bdbf77c6d95afe75de5e2af8c39c946f" src="https://a.mtstatic.com/deki/javascript/out/grape.min.js?_=76f77a33377b2f0da26a22ff3a2c3345f92f980b:site_13743"></script><script type="application/json" id="mt-global-settings" nonce="f2b0f5cf2b64bf0ba4b0ff4198771540bdbf77c6d95afe75de5e2af8c39c946f">{"apiToken":"xhr_2_1732690009_d3e1390c7a4942d4a3351deedd3fc7042d5ba71768e65a6b1183317625de882e","pageId":7958,"pageViewId":"59151761-4f87-4cdf-a216-1a47277cb1f6"}</script> <!-- OneTrust Cookies Consent Notice start for lantern.splunk.com --> <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="a033fe7d-80cf-4e46-8cc6-1a0d7f0cf92c"></script> <script type="text/javascript">/*<![CDATA[*/ function OptanonWrapper() { } /*]]>*/</script> <!-- OneTrust Cookies Consent Notice end for lantern.splunk.com --> <!-- Google Tag Manager --> <script>/*<![CDATA[*/(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TPV7TP');/*]]>*/</script> <!-- End Google Tag Manager &acirc;&#134;&#146; <- Google Tag Manager (noscript) &acirc;&#134;&#146; <noscript> <iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TPV7TP" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <- End Google Tag Manager (noscript) &acirc;&#134;&#146;</html>--> <script type="text/javascript" nonce="f2b0f5cf2b64bf0ba4b0ff4198771540bdbf77c6d95afe75de5e2af8c39c946f">(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create','UA-65721316-34','lantern.splunk.com',{name:'mtTracker',allowLinker:true});ga('mtTracker.require','linker');ga('mtTracker.set', 'anonymizeIp', true);ga('mtTracker.send','pageview');document.addEventListener('mindtouch-web-widget:f1:loaded',function(e){var t=e.data||{},d=t.widget;d&&''!==t.embedId&&document.addEventListener('mindtouch-web-widget:f1:clicked',function(e){var t=(e.data||{}).href;if(t){var n=document.createElement('a');n.setAttribute('href',t),'expert-help.nice.com'===n.hostname&&(e.preventDefault(),ga('linker:decorate',n),d.open(n.href))}})});</script> </head> <body class="columbia-page-main columbia-article-howto columbia-breadcrumb-home-datadescriptors-amazon-ingestingawss3datawrittenbyingestactions columbia-live no-touch columbia-lang-en-us columbia-skin-grape"> <div class="grape-messaging"> </div> <div class="grape-header-custom"> <div class="custom-nav-wrapper"><div class="navbar"><div class="logo-container"><div class="navbar-link navbar-logo"><div translate="no"><a href="https://splunk.com" target="_blank" rel="external noopener nofollow" class="link-https"><img src="https://lantern.splunk.com/@api/deki/site/logo.png?default=https://a.mtstatic.com/skins/styles/elm/logo.svg%3F_%3D76f77a33377b2f0da26a22ff3a2c3345f92f980b:site_13743" /></a></div></div><div class="navbar-link lantern-home"><a class="internal" href="https://lantern.splunk.com/" rel="internal">Lantern Home</a></div><div class="navbar-link navbar-link-toggle"><span class="hamburger"></span><span class="hamburger"></span><span class="hamburger"></span></div></div><nav class="navbar-items navbar-items-right"><div class="navbar-link mobile-user-wrapper"><img id="splunk-login-icon" class="internal" alt="splunk-login-icon.png" loading="lazy" src="https://lantern.splunk.com/@api/deki/files/4151/splunk-login-icon.png?revision=1" /><a href="https://lantern.splunk.com/@app/auth/2/login?returnto=Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" rel="nofollow">Login</a></div><div class="navbar-link"><a target="_blank" href="https://docs.splunk.com/" rel="external noopener nofollow" class="link-https">Documentation</a></div><div class="navbar-link"><a target="_blank" href="https://www.splunk.com/en_us/community.html" rel="external noopener nofollow" class="link-https">Community</a></div><div class="navbar-link"><a target="_blank" href="https://www.splunk.com/en_us/training.html" rel="external noopener nofollow" class="link-https">Training &amp; Certification</a></div><div class="navbar-link"><a target="_blank" href="http://login.splunk.com/page/sso_redirect?type=portal" rel="external noopener nofollow" class="external">Support Portal</a></div><div class="navbar-link"><a target="_blank" href="https://usergroups.splunk.com/" rel="external noopener nofollow" class="link-https">User Groups</a></div><div class="navbar-link user-dropdown"><img id="login-icon" class="internal" alt="splunk-login-icon.png" loading="lazy" src="https://lantern.splunk.com/@api/deki/files/4151/splunk-login-icon.png?revision=1" /><div id="dropdown-wrapper"><div class="triangle"></div><ul><a href="https://lantern.splunk.com/@app/auth/2/login?returnto=Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" rel="nofollow">Login</a></ul></div></div><div class="navbar-link"><a target="_blank" href="https://www.splunk.com/en_us/download/splunk-cloud/cloud-trial.html" rel="external noopener nofollow" class="link-https">Free Splunk</a></div></nav></div></div> <script type="text/javascript">/*<![CDATA[*/ function classToggle() { const navs = document.querySelectorAll('.navbar-items') navs.forEach(function(nav) { nav.classList.toggle('navbar-toggle-show') }) } document.querySelector('.navbar-link-toggle') .addEventListener('click', classToggle);/*]]>*/</script> <script type="text/javascript">/*<![CDATA[*/ var userDropLink = document.querySelector(".navbar-link.user-dropdown"); var userDropName = document.getElementById("user-dropdown-name"); var userDropMenu = document.getElementById("dropdown-wrapper"); var userDropArrow = document.querySelector(".dropdown-arrow"); var userIcon = document.getElementById("login-icon-desk-anon"); console.log(userIcon); function showDropdown() { if(userDropName && userDropArrow) { userDropArrow.style.transform = "rotate(180deg)"; userDropArrow.style.color = "#ed0080"; userDropMenu.style.display = "block"; userDropName.style.background = "#ed0080"; } else { console.log("anon"); userDropMenu.style.display = "block"; userIcon.style.fill = "#ed0080"; } } function hideDropdown() { if(userDropName && userDropArrow) { userDropMenu.style.display = "none"; userDropName.style.background = "#656c76"; userDropArrow.style.transform = "rotate(0deg)"; userDropArrow.style.color = "#656c76"; } else { userDropMenu.style.display = "none"; userIcon.style.fill = "#656c76"; } } userDropLink.addEventListener("mouseenter", showDropdown); userDropLink.addEventListener("mouseleave", hideDropdown);/*]]>*/</script> <script type="text/javascript">/*<![CDATA[*/ (function(){var g=function(e,h,f,g){ this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null}; this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "}; this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0}; this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}}; this.start=function(){var t=this;"complete"!==document.readyState?window.addEventListener?window.addEventListener("load",function(){t.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){t.go()}):t.go()};}; try{(new g(100,"r","QSI_S_ZN_1EUShoUYECtmqnc","https://zn1eushouyectmqnc-splunk.siteintercept.qualtrics.com/SIE/?Q_ZID=ZN_1EUShoUYECtmqnc")).start()}catch(i){}})(); /*]]>*/</script> <script type="text/javascript">/*<![CDATA[*/ var seated = user.seated;/*]]>*/</script> <script type="text/javascript">/*<![CDATA[*/ (function(){var g=function(e,h,f,g){ this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null}; this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "}; this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0}; this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}}; this.start=function(){var t=this;"complete"!==document.readyState?window.addEventListener?window.addEventListener("load",function(){t.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){t.go()}):t.go()};}; try{(new g(100,"r","QSI_S_ZN_6YEBaVzF9jwyuj4","https://zn6yebavzf9jwyuj4-splunk.siteintercept.qualtrics.com/SIE/?Q_ZID=ZN_6YEBaVzF9jwyuj4")).start()}catch(i){}})(); /*]]>*/</script> <div id="ZN_6YEBaVzF9jwyuj4">&nbsp;</div> <script type="text/javascript">/*<![CDATA[*/ (function(){var g=function(e,h,f,g){ this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null}; this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "}; this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0}; this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}}; this.start=function(){var t=this;"complete"!==document.readyState?window.addEventListener?window.addEventListener("load",function(){t.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){t.go()}):t.go()};}; try{(new g(100,"r","QSI_S_ZN_aaOQXgG6XwUToDc","https://znaaoqxgg6xwutodc-splunk.siteintercept.qualtrics.com/SIE/?Q_ZID=ZN_aaOQXgG6XwUToDc")).start()}catch(i){}})(); /*]]>*/</script> <div id="ZN_aaOQXgG6XwUToDc">&nbsp;</div> </div> <div class="grape-header grape-wrapper"> <div class="grape-header-container grape-wrapper-container"> <div class="grape-site-logo"> <a class="logo-anonymous" href="/" title="Splunk Lantern"> <img class="mt-cdn" src="https://a.mtstatic.com/@public/production/site_13743/1710778214-logo.png" alt="Splunk Lantern" title="Splunk Lantern"> </a> </div> <div class="grape-site-navigation"> <ul class="mt-site-nav"> <li class="mt-login-sign-in"> <a class="mt-icon-quick-sign-in" href="https://lantern.splunk.com/@app/auth/2/login?returnto=https%3A%2F%2Flantern.splunk.com%2FData_Descriptors%2FAmazon%2FIngesting_AWS_S3_data_written_by_ingest_actions" title="Sign in"> Sign in </a> </li> <li class="mt-login-forgot-password"> <a class="mt-icon-login-forgot-password" href="https://lantern.splunk.com/Special:UserPassword" title="Retrieve lost password"> Forgot password </a> </li> </ul> </div> <div class="grape-site-search"> <div class="mt-quick-search-container"> <form action="/Special:Search"> <input name="path" id="mt-search-path" type="hidden" value="" /> <label class="mt-label" for="mt-site-search-input"> Search </label> <input class="mt-text mt-search search-field" name="q" id="mt-site-search-input" placeholder="How can we help you?" type="search" /> <button class="mt-button ui-button-icon mt-icon-site-search-button search-button" type="submit"> Search </button> </form> </div> </div> </div> <div class="grape-site-nav grape-wrapper-container"> <ul class="mt-breadcrumbs"> <li> <a href="https://lantern.splunk.com/"> <span class="mt-icon-article-category mt-icon-article-home"></span> Home </a> </li> <li> <a href="https://lantern.splunk.com/Data_Descriptors"> <span class="mt-icon-article-guide"></span> Data Descriptors </a> </li> <li> <a href="https://lantern.splunk.com/Data_Descriptors/Amazon"> <span class="mt-icon-article-topic"></span> Amazon </a> </li> </ul> </div> </div> <div class="grape-content grape-wrapper"> <div class="grape-content-container grape-wrapper-container"> <div id="flash-messages"><div class="dekiFlash"></div></div> <h1 id="title" class="no-edit" style="visibility: visible;"> Ingesting AWS S3 data written by ingest actions </h1> <div class="mt-last-updated"> <strong>Last updated:</strong> <span class="modified mt-last-updated-timestamp" data-timestamp="2024-06-27T17:16:29Z"></span> </div> <div class="mt-content-header"> <p>&nbsp;</p> </div> <div class="mt-content-side"> <div class="custom-tree"><div id="side-nav-toggle-container"><span class="side-nav-hamburger"></span><span class="side-nav-hamburger"></span><span class="side-nav-hamburger"></span></div><div class="wiki-tree"><ul><li class="first"><a title="Data_Descriptors/Antivirus_and_antimalware_data" pageid="384" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Antivirus_and_antimalware_data" rel="internal">Antivirus and antimalware data</a></li><li><a title="Data_Descriptors/Application_data" pageid="385" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Application_data" rel="internal">Application data</a></li><li><a title="Data_Descriptors/Application_server_data" pageid="435" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Application_server_data" rel="internal">Application server data</a></li><li><a title="Data_Descriptors/Authentication_data" pageid="383" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Authentication_data" rel="internal">Authentication data</a></li><li><a title="Data_Descriptors/Backup_data" pageid="950" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Backup_data" rel="internal">Backup data</a></li><li><a title="Data_Descriptors/Vendor-specific_data" pageid="387" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Vendor-specific_data" rel="internal">Vendor-specific data</a></li><li><a title="Data_Descriptors/Endpoint_detection_and_response_(EDR)_data" pageid="469" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Endpoint_detection_and_response_(EDR)_data" rel="internal">Endpoint detection and response (EDR) data</a></li><li><a title="Data_Descriptors/Intrusion_detection_and_prevention_data_(IDS_and_IPS)" pageid="472" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Intrusion_detection_and_prevention_data_(IDS_and_IPS)" rel="internal">Intrusion detection and prevention data (IDS and IPS)</a></li><li><a title="Data_Descriptors/Load_balancer_data" pageid="473" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Load_balancer_data" rel="internal">Load balancer data</a></li><li><a title="Data_Descriptors/Email_data" pageid="426" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Email_data" rel="internal">Email data</a></li><li><a title="Data_Descriptors/Network_communication_data" pageid="894" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Network_communication_data" rel="internal">Network communication data</a></li><li><a title="Data_Descriptors/Patch_management_data" pageid="953" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Patch_management_data" rel="internal">Patch management data</a></li><li><a title="Data_Descriptors/Physical_security_data" pageid="947" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Physical_security_data" rel="internal">Physical security data</a></li><li><a title="Data_Descriptors/Web_proxy_data" pageid="895" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Web_proxy_data" rel="internal">Web proxy data</a></li><li><a title="Data_Descriptors/Change_events_data" pageid="897" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Change_events_data" rel="internal">Change events data</a></li><li><a title="Data_Descriptors/Configuration_management_data" pageid="898" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Configuration_management_data" rel="internal">Configuration management data</a></li><li><a title="Data_Descriptors/IP_address_assignment_data" pageid="381" class="internal" href="https://lantern.splunk.com/Data_Descriptors/IP_address_assignment_data" rel="internal">IP address assignment data</a></li><li><a title="Data_Descriptors/Vulnerability_detection_data" pageid="424" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Vulnerability_detection_data" rel="internal">Vulnerability detection data</a></li><li><a title="Data_Descriptors/Web_server_data" pageid="434" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Web_server_data" rel="internal">Web server data</a></li><li><a title="Data_Descriptors/DNS_data" pageid="474" class="internal" href="https://lantern.splunk.com/Data_Descriptors/DNS_data" rel="internal">DNS data</a><ul><li class="first last"><a title="Data_Descriptors/DNS_data/Installing_and_configuring_Splunk_Stream" pageid="4623" class="internal" href="https://lantern.splunk.com/Data_Descriptors/DNS_data/Installing_and_configuring_Splunk_Stream" rel="internal">Installing and configuring Splunk Stream</a></li></ul></li><li><a title="Data_Descriptors/Linux_and_Unix" pageid="5621" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Linux_and_Unix" rel="internal">Linux and Unix</a></li><li><a title="Data_Descriptors/Okta" pageid="4822" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Okta" rel="internal">Okta</a><ul><li class="first"><a title="Data_Descriptors/Okta/Enabling_Okta_single_sign-on_in_the_Splunk_platform" pageid="4802" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Okta/Enabling_Okta_single_sign-on_in_the_Splunk_platform" rel="internal">Enabling Okta single sign-on in the Splunk platform</a></li><li class="last"><a title="Data_Descriptors/Okta/Getting_Okta_data_into_the_Splunk_platform" pageid="4803" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Okta/Getting_Okta_data_into_the_Splunk_platform" rel="internal">Getting Okta data into the Splunk platform</a></li></ul></li><li><a title="Data_Descriptors/SAP" pageid="4419" class="internal" href="https://lantern.splunk.com/Data_Descriptors/SAP" rel="internal">SAP</a></li><li><a title="Data_Descriptors/Zscaler" pageid="2127" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Zscaler" rel="internal">Zscaler</a></li><li><a title="Data_Descriptors/Zoom" pageid="3753" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Zoom" rel="internal">Zoom</a></li><li><a title="Data_Descriptors/Zeek" pageid="3495" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Zeek" rel="internal">Zeek</a></li><li><a title="Data_Descriptors/Websense" pageid="3905" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Websense" rel="internal">Websense</a></li><li><a title="Data_Descriptors/VMware" pageid="3906" class="internal" href="https://lantern.splunk.com/Data_Descriptors/VMware" rel="internal">VMware</a></li><li><a title="Data_Descriptors/CrowdStrike" pageid="3526" class="internal" href="https://lantern.splunk.com/Data_Descriptors/CrowdStrike" rel="internal">CrowdStrike</a></li><li><a title="Data_Descriptors/Carbon_Black" pageid="866" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Carbon_Black" rel="internal">Carbon Black</a></li><li><a title="Data_Descriptors/Kubernetes" pageid="2194" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Kubernetes" rel="internal">Kubernetes</a><ul><li class="first"><a title="Data_Descriptors/Kubernetes/Getting_Kubernetes_log_data_Into_Splunk_Cloud_Platform_with_OpenTelemetry" pageid="7077" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Kubernetes/Getting_Kubernetes_log_data_Into_Splunk_Cloud_Platform_with_OpenTelemetry" rel="internal">Getting Kubernetes log data Into Splunk Cloud Platform with OpenTelemetry</a></li><li class="last"><a title="Data_Descriptors/Kubernetes/Setting_up_the_OpenTelemetry_Demo_in_Kubernetes" pageid="7078" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Kubernetes/Setting_up_the_OpenTelemetry_Demo_in_Kubernetes" rel="internal">Setting up the OpenTelemetry Demo in Kubernetes</a></li></ul></li><li><a title="Data_Descriptors/Check_Point" pageid="1784" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Check_Point" rel="internal">Check Point</a></li><li><a title="Data_Descriptors/Fortinet" pageid="3777" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Fortinet" rel="internal">Fortinet</a></li><li><a title="Data_Descriptors/Salesforce" pageid="885" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Salesforce" rel="internal">Salesforce</a></li><li><a title="Data_Descriptors/Symantec" pageid="887" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Symantec" rel="internal">Symantec</a></li><li><a title="Data_Descriptors/Palo_Alto_Networks" pageid="884" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Palo_Alto_Networks" rel="internal">Palo Alto Networks</a><ul><li class="first last"><a title="Data_Descriptors/Palo_Alto_Networks/Using_ingest_actions_to_filter_Palo_Alto_logs" pageid="7989" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Palo_Alto_Networks/Using_ingest_actions_to_filter_Palo_Alto_logs" rel="internal">Using ingest actions to filter Palo Alto logs</a></li></ul></li><li><a title="Data_Descriptors/Trend_Micro" pageid="5708" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Trend_Micro" rel="internal">Trend Micro</a></li><li><a title="Data_Descriptors/Tenable" pageid="1789" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Tenable" rel="internal">Tenable</a><ul><li class="first last"><a title="Data_Descriptors/Tenable/Migrating_from_Tenable_LCE_to_Splunk_Enterprise_Security" pageid="7414" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Tenable/Migrating_from_Tenable_LCE_to_Splunk_Enterprise_Security" rel="internal">Migrating from Tenable LCE to Splunk Enterprise Security</a></li></ul></li><li><a title="Data_Descriptors/GitHub" pageid="3805" class="internal" href="https://lantern.splunk.com/Data_Descriptors/GitHub" rel="internal">GitHub</a></li><li><a title="Data_Descriptors/Atlassian" pageid="2199" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Atlassian" rel="internal">Atlassian</a></li><li><a title="Data_Descriptors/AppDynamics" pageid="2196" class="internal" href="https://lantern.splunk.com/Data_Descriptors/AppDynamics" rel="internal">AppDynamics</a></li><li><a title="Data_Descriptors/Dell" pageid="871" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Dell" rel="internal">Dell</a></li><li><a title="Data_Descriptors/Syslog" pageid="4334" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Syslog" rel="internal">Syslog</a><ul><li class="first"><a title="Data_Descriptors/Syslog/Installing_Splunk_Connect_For_Syslog_(SC4S)_on_a_Windows_network" pageid="4336" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Syslog/Installing_Splunk_Connect_For_Syslog_(SC4S)_on_a_Windows_network" rel="internal">Installing Splunk Connect For Syslog (SC4S) on a Windows network</a></li><li class="last"><a title="Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog" pageid="2261" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog" rel="internal">Understanding best practices for Splunk Connect for Syslog</a><ul><li class="first"><a title="Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog/Adding_compliance_data_to_syslog_data_in_stream" pageid="2255" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog/Adding_compliance_data_to_syslog_data_in_stream" rel="internal">Adding compliance data to syslog data in stream</a></li><li><a title="Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog/Filtering_syslog_data_to_dev_null" pageid="2256" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog/Filtering_syslog_data_to_dev_null" rel="internal">Filtering syslog data to dev null</a></li><li class="last"><a title="Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog/Routing_syslog_data_to_custom_indexes" pageid="2141" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Syslog/Understanding_best_practices_for_Splunk_Connect_for_Syslog/Routing_syslog_data_to_custom_indexes" rel="internal">Routing syslog data to custom indexes</a></li></ul></li></ul></li><li><a title="Data_Descriptors/Apache" pageid="1714" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Apache" rel="internal">Apache</a></li><li><a title="Data_Descriptors/Amazon" pageid="5735" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon" rel="internal">Amazon</a><ul><li class="first"><a title="Data_Descriptors/Amazon/Configuring_AWS_CloudTrail_and_CloudWatch_data_collection" pageid="863" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Configuring_AWS_CloudTrail_and_CloudWatch_data_collection" rel="internal">Configuring AWS CloudTrail and CloudWatch data collection</a></li><li><a title="Data_Descriptors/Amazon/Expanding_AWS_log_ingestion_capabilities_with_Splunk_Data_Manager_custom_logs" pageid="8100" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Expanding_AWS_log_ingestion_capabilities_with_Splunk_Data_Manager_custom_logs" rel="internal">Expanding AWS log ingestion capabilities with custom logs in Splunk Data Manager</a></li><li><a title="Data_Descriptors/Amazon/Implementing_a_reingestion_pipeline_for_AWS_logs_using_Kinesis_Data_Firehose" pageid="7381" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Implementing_a_reingestion_pipeline_for_AWS_logs_using_Kinesis_Data_Firehose" rel="internal">Implementing a reingestion pipeline for AWS logs using Kinesis Data Firehose</a></li><li><a title="Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" pageid="7958" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" rel="internal">Ingesting AWS S3 data written by ingest actions</a></li><li><a title="Data_Descriptors/Amazon/Ingesting_VPC_flow_logs_into_Edge_Processor_via_Firehose_streams" pageid="8108" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Ingesting_VPC_flow_logs_into_Edge_Processor_via_Firehose_streams" rel="internal">Ingesting VPC flow logs into Edge Processor via Amazon Data Firehose</a></li><li><a title="Data_Descriptors/Amazon/Migrating_AWS_inputs_to_Data_Manager" pageid="4516" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Migrating_AWS_inputs_to_Data_Manager" rel="internal">Migrating AWS inputs to Data Manager</a></li><li><a title="Data_Descriptors/Amazon/Partitioning_data_in_S3_for_the_best_FS-S3_experience" pageid="7825" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Partitioning_data_in_S3_for_the_best_FS-S3_experience" rel="internal">Partitioning data in S3 for the best FS-S3 experience</a></li><li><a title="Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_to_filter,_enrich,_and_retrieve_data_from_Amazon_S3" pageid="8342" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_to_filter%2C_enrich%2C_and_retrieve_data_from_Amazon_S3" rel="internal">Using federated search for Amazon S3 (FS-S3) to filter, enrich, and retrieve data from Amazon S3</a></li><li><a title="Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_with_Edge_Processor" pageid="8040" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_with_Edge_Processor" rel="internal">Using federated search for Amazon S3 (FS-S3) with Edge Processor</a></li><li class="last"><a title="Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_with_ingest_actions" pageid="7900" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_with_ingest_actions" rel="internal">Using federated search for Amazon S3 (FS-S3) with ingest actions</a></li></ul></li><li><a title="Data_Descriptors/Cisco" pageid="5742" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Cisco" rel="internal">Cisco</a></li><li><a title="Data_Descriptors/Microsoft" pageid="5743" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Microsoft" rel="internal">Microsoft</a><ul><li class="first"><a title="Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data" pageid="2937" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data" rel="internal">Getting started with Microsoft Azure Event Hub data</a></li><li><a title="Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_record_data" pageid="7167" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_record_data" rel="internal">Getting started with Microsoft Teams call record data</a></li><li><a title="Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_record_data_and_Azure_Functions" pageid="7168" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_record_data_and_Azure_Functions" rel="internal">Getting started with Microsoft Teams call record data and Azure Functions</a></li><li class="last"><a title="Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-on_for_Splunk" pageid="7166" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-on_for_Splunk" rel="internal">Getting started with the Microsoft Teams Add-on for Splunk</a></li></ul></li><li><a title="Data_Descriptors/Google" pageid="5744" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google" rel="internal">Google</a><ul><li class="first"><a title="Data_Descriptors/Google/Configuring_Alert_Actions_with_the_Google_Chrome_Add_On_for_Splunk" pageid="6562" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Configuring_Alert_Actions_with_the_Google_Chrome_Add_On_for_Splunk" rel="internal">Configuring Alert Actions with the Google Chrome Add On for Splunk</a></li><li><a title="Data_Descriptors/Google/Configuring_Google_Workspace_as_a_SAML_IdP_with_Splunk_Cloud_Platform" pageid="3317" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Configuring_Google_Workspace_as_a_SAML_IdP_with_Splunk_Cloud_Platform" rel="internal">Configuring Google Workspace as a SAML IdP with Splunk Cloud Platform</a></li><li><a title="Data_Descriptors/Google/Deploying_Workload_Identity_Federation_between_AWS_and_GCP" pageid="7961" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Deploying_Workload_Identity_Federation_between_AWS_and_GCP" rel="internal">Deploying Workload Identity Federation between AWS and GCP</a></li><li><a title="Data_Descriptors/Google/Getting_started_with_the_Google_ChromeOS_App_for_Splunk" pageid="7202" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Getting_started_with_the_Google_ChromeOS_App_for_Splunk" rel="internal">Getting started with the Google ChromeOS App for Splunk</a></li><li><a title="Data_Descriptors/Google/Getting_started_with_the_Google_Chrome_App_for_Splunk" pageid="6447" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Getting_started_with_the_Google_Chrome_App_for_Splunk" rel="internal">Getting started with the Google Chrome App for Splunk</a></li><li><a title="Data_Descriptors/Google/Ingesting_Google_Cloud_asset_inventory_data" pageid="1875" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Ingesting_Google_Cloud_asset_inventory_data" rel="internal">Ingesting Google Cloud asset inventory data</a></li><li class="last"><a title="Data_Descriptors/Google/Ingesting_Google_Cloud_data_into_Splunk_using_command_line_programs" pageid="5897" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Google/Ingesting_Google_Cloud_data_into_Splunk_using_command_line_programs" rel="internal">Ingesting Google Cloud data into Splunk using command line programs</a></li></ul></li><li><a title="Data_Descriptors/JupiterOne" pageid="5913" class="internal" href="https://lantern.splunk.com/Data_Descriptors/JupiterOne" rel="internal">JupiterOne</a><ul><li class="first last"><a title="Data_Descriptors/JupiterOne/Optimizing_and_automating_SecOps_with_JupiterOne" pageid="5912" class="internal" href="https://lantern.splunk.com/Data_Descriptors/JupiterOne/Optimizing_and_automating_SecOps_with_JupiterOne" rel="internal">Optimizing and automating SecOps with JupiterOne</a></li></ul></li><li><a title="Data_Descriptors/GitLab" pageid="6414" class="internal" href="https://lantern.splunk.com/Data_Descriptors/GitLab" rel="internal">GitLab</a><ul><li class="first"><a title="Data_Descriptors/GitLab/Getting_Gitlab_CICD_data_out_of_a_Gitlab_Pipeline_into_Splunk" pageid="6415" class="internal" href="https://lantern.splunk.com/Data_Descriptors/GitLab/Getting_Gitlab_CICD_data_out_of_a_Gitlab_Pipeline_into_Splunk" rel="internal">Getting GitLab CI/CD data into the Splunk platform</a></li><li class="last"><a title="Data_Descriptors/GitLab/Sending_GitLab_webhook_data_to_the_Splunk_platform" pageid="6417" class="internal" href="https://lantern.splunk.com/Data_Descriptors/GitLab/Sending_GitLab_webhook_data_to_the_Splunk_platform" rel="internal">Sending GitLab webhook data to the Splunk platform</a></li></ul></li><li><a title="Data_Descriptors/Mac_OS" pageid="6655" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Mac_OS" rel="internal">Mac OS</a><ul><li class="first last"><a title="Data_Descriptors/Mac_OS/Collecting_Mac_OS_log_files" pageid="6648" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Mac_OS/Collecting_Mac_OS_log_files" rel="internal">Collecting Mac OS log files</a></li></ul></li><li><a title="Data_Descriptors/Docker" pageid="7069" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Docker" rel="internal">Docker</a><ul><li class="first"><a title="Data_Descriptors/Docker/Getting_Docker_log_data_into_Splunk_Cloud_Platform_with_OpenTelemetry" pageid="7075" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Docker/Getting_Docker_log_data_into_Splunk_Cloud_Platform_with_OpenTelemetry" rel="internal">Getting Docker log data into Splunk Cloud Platform with OpenTelemetry</a></li><li class="last"><a title="Data_Descriptors/Docker/Setting_up_the_OpenTelemetry_Demo_in_Docker" pageid="7070" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Docker/Setting_up_the_OpenTelemetry_Demo_in_Docker" rel="internal">Setting up the OpenTelemetry Demo in Docker</a></li></ul></li><li><a title="Data_Descriptors/Firewall_data" pageid="470" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Firewall_data" rel="internal">Firewall data</a></li><li><a title="Data_Descriptors/MOVEit" pageid="7904" class="internal" href="https://lantern.splunk.com/Data_Descriptors/MOVEit" rel="internal">MOVEit</a></li><li><a title="Data_Descriptors/Skyhigh_Security" pageid="7909" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Skyhigh_Security" rel="internal">Skyhigh Security</a><ul><li class="first last"><a title="Data_Descriptors/Skyhigh_Security/Configuring_Splunk_add-on_for_McAfee//Skyhigh_Web_Gateway" pageid="7933" class="internal" href="https://lantern.splunk.com/Data_Descriptors/Skyhigh_Security/Configuring_Splunk_add-on_for_McAfee%2F%2FSkyhigh_Web_Gateway" rel="internal">Configuring Splunk add-on for McAfee/Skyhigh Web Gateway</a></li></ul></li><li><a title="Data_Descriptors/CyberArk" pageid="7938" class="internal" href="https://lantern.splunk.com/Data_Descriptors/CyberArk" rel="internal">CyberArk</a></li><li><a title="Data_Descriptors/OpenAI" pageid="7964" class="internal" href="https://lantern.splunk.com/Data_Descriptors/OpenAI" rel="internal">OpenAI</a><ul><li class="first last"><a title="Data_Descriptors/OpenAI/Monitoring_applications_using_OpenAI_API_and_GPT_models_with_OpenTelemetry_and_Splunk_APM" pageid="7965" class="internal" href="https://lantern.splunk.com/Data_Descriptors/OpenAI/Monitoring_applications_using_OpenAI_API_and_GPT_models_with_OpenTelemetry_and_Splunk_APM" rel="internal">Monitoring applications using OpenAI API and GPT models with OpenTelemetry and Splunk APM</a></li></ul></li><li class="last"><a title="Data_Descriptors/NETSCOUT" pageid="8411" class="internal" href="https://lantern.splunk.com/Data_Descriptors/NETSCOUT" rel="internal">NETSCOUT</a><ul><li class="first last"><a title="Data_Descriptors/NETSCOUT/Configuring_and_monitoring_NETSCOUT_Omnis_AI_Streamer_data" pageid="8412" class="internal" href="https://lantern.splunk.com/Data_Descriptors/NETSCOUT/Configuring_and_monitoring_NETSCOUT_Omnis_AI_Streamer_data" rel="internal">Configuring and monitoring NETSCOUT Omnis AI Streamer data</a></li></ul></li></ul></div></div> <script type="text/javascript">/*<![CDATA[*/ const trees = document.querySelectorAll(".wiki-tree > ul"); let currentPage = window.location.href; function listChildren(e) { if (e.children.length === 0) { return; } for (var i = 0; i < e.children.length; i++) { var el = e.children[i]; if (el.children.length > 1 && el.tagName == "LI") { el.className = "mt-icon-arrow-right8 collapsed"; el.addEventListener("click", function (event) { if (this.className == "mt-icon-arrow-right8 collapsed") { this.className = "mt-icon-arrow-down8"; } else { this.className = "mt-icon-arrow-right8 collapsed"; } event.stopPropagation(); }); } else { el.addEventListener("click", function (event) { event.stopPropagation(); }); } if (el.href == currentPage) { el.classList.add("active-page"); //Loop through this page and all parent pages, and remove the collapsed class var pElement = el.parentElement.parentElement; //Skipping direct parent so that currentPage itself remains collapsed for (var j = 0; j < 1000; j++) { pElement.classList.remove("collapsed"); if (pElement.classList.contains("mt-icon-arrow-right8")) { pElement.classList.remove("mt-icon-arrow-right8"); pElement.classList.add("mt-icon-arrow-down8"); } pElement = pElement.parentElement; if (pElement.classList.contains("wiki-tree")) { break; } } } listChildren(e.children[i]); } } for (var i = 0; i < trees.length; i++) { listChildren(trees[i]); }/*]]>*/</script> </div> <div id="mt-toc-container" data-title="Table of contents" data-collapsed="true"> <button class="mt-toggle mt-summary-toggle ui-button-icon mt-toggle-expand">Table of contents</button> <div class="mt-toc-content mt-collapsible-section mt-toc-hide"> <ol><li><a href="#Create_S3_destination_and_route_data" rel="internal">Create S3 destination and route data</a></li><li><a href="#Ingesting_S3_data" rel="internal">Ingesting S3 data</a></li><li><a href="#Next_steps" rel="internal">Next steps</a></li></ol> </div> </div> <div id="page-top"> <div id="topic"> <div id="pageText"><p>Using <a title="Using federated search for Amazon S3 (FS-S3) with ingest actions" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_with_ingest_actions" rel="internal">federated search for S3</a> allows you to easily search data that has been written to S3 from the Splunk platform. In some cases, you might need to fully ingest certain parts of the data into the Splunk platform. <a href="https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_in_Splunk_Enterprise" rel="internal">Ingest actions</a> allows you to save data in S3 and ingest it when you need it later on, to avoid extra ingest usage. This article shows you how to configure the <a href="https://docs.splunk.com/Documentation/AddOns/released/AWS/S3" target="_blank" rel="external noopener nofollow" class="link-https">AWS S3 Splunk add on</a> to ingest this data after it has been written to S3.</p> <div mt-section-origin="Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" class="mt-section" id="section_1"><span id="Create_S3_destination_and_route_data"></span><h2 class="editable"><strong>Create S3 destination and route data</strong></h2> <p>Follow the steps in Splunk Docs to create an <a href="https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest#Create_an_S3_destination" target="_blank" rel="external noopener nofollow" class="link-https">S3 destination</a> in ingest actions to have a place to write the data to. When setting up partitioning for the destination, it's ideal to partition by <code>day</code> and <code>sourcetype</code> as a secondary key. This separates the data by day and by source type, making it easier to select only the data you want to ingest.</p> <p>After the new destination is set up with partitioning, <a href="https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest#Create_a_ruleset_with_the_Ingest_Actions_page" target="_blank" rel="external noopener nofollow" class="link-https">create a new ruleset</a> in ingest actions to <a href="https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest#Route_to_Destination_rule" target="_blank" rel="external noopener nofollow" class="link-https">route the data to the S3</a> destination you created.</p> <p>When your ruleset is working properly you will no longer see events in the Splunk platform, and you will see new buckets being created in S3.</p> </div><div mt-section-origin="Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" class="mt-section" id="section_2"><span id="Ingesting_S3_data"></span><h2 class="editable"><strong>Ingesting S3 data</strong></h2> <p>To ingest data after it's been sent to S3 via ingest actions, <a href="https://docs.splunk.com/Documentation/AddOns/released/AWS/Distributeddeployment" target="_blank" rel="external noopener nofollow" class="link-https">install</a> the <a href="https://splunkbase.splunk.com/app/1876" target="_blank" rel="external noopener nofollow" class="link-https">Splunk Add-on for Amazon Web Services (AWS)</a>.</p> <p>You'll need to <a href="https://docs.splunk.com/Documentation/AddOns/released/AWS/Setuptheadd-on" target="_blank" rel="external noopener nofollow" class="link-https">configure the account</a> the add-on uses to pull data from S3. After the account is set up, you can <a href="https://docs.splunk.com/Documentation/AddOns/released/AWS/S3" target="_blank" rel="external noopener nofollow" class="link-https">configure a generic S3 input</a> to ingest the specific data from S3.</p> <div class="mt-warning-container style-wrap" title="Warning"> <ul> <li>Use the <strong>Create New Input &gt; Custom Data Type &gt; Generic S3</strong> input type.</li> <li>Set your Start Date/Time before the Date/Time of when the data was written to S3. If the S3 bucket modification time is before the Start Date/Time, the input will not ingest the data.</li> <li>Specify a specific source type, ensuring it is not the same source type that is used in the ingest actions ruleset that writes the data to S3. If you don't do this, a loop will exist and the data will never end up in an index. An S3 key prefix or allowlist can also be specified to help limit the amount of data that is reingested.</li> <li>Amazon S3 buckets with an excessive number of files or abundant size will result in significant performance degradation and ingestion delays.</li> </ul> </div> <p>The Generic S3 input will take a few minutes to pull the data and ingest it. When it is done, you should be able to search the events specified in the index and search the data like normal.</p> <p>The events will be a JSON blob, meaning you will need to do some additional work to get field extractions to work properly based on the original source type of the data. Here is an example of what the event looks like after it is ingested:</p> <p><img alt="unnamed - 2024-06-18T100524.631.png" class="internal" loading="lazy" src="https://lantern.splunk.com/@api/deki/files/4424/unnamed_-_2024-06-18T100524.631.png?revision=1" /></p> <p>If you're not sure how to work with JSON data in the Splunk platform, the following resources might be useful:</p> <ul> <li>Splunk Community: <a data-sk="tooltip_parent" data-stringify-link="https://community.splunk.com/t5/tag/json/tg-p/board-id/splunk-search" delay="150" href="https://community.splunk.com/t5/tag/json/tg-p/board-id/splunk-search" rel="noopener noreferrer" target="_blank">JSON tagged posts</a></li> <li>YouTube: <a data-sk="tooltip_parent" data-stringify-link="https://www.youtube.com/watch?v=QvGJDFqccsM" delay="150" href="https://www.youtube.com/watch?v=QvGJDFqccsM" rel="noopener noreferrer" target="_blank">Using JSON functions</a></li> <li>Splunk Docs: <a data-sk="tooltip_parent" data-stringify-link="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/spath" delay="150" href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/spath" rel="noopener noreferrer" target="_blank">spath command</a></li> </ul> </div><div mt-section-origin="Data_Descriptors/Amazon/Ingesting_AWS_S3_data_written_by_ingest_actions" class="mt-section" id="section_3"><span id="Next_steps"></span><h2 class="editable"><strong>Next steps</strong></h2> <p>These resources might help you understand and implement this guidance:</p> <ul> <li>Splunk Lantern: <a title="Partitioning data in S3 for the best FS-S3 experience" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Partitioning_data_in_S3_for_the_best_FS-S3_experience" rel="internal">Partitioning data in S3 for the best FS-S3 experience</a></li> <li>Splunk Lantern: <a title="Using federated search for Amazon S3 (FS-S3) with ingest actions" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Using_federated_search_for_Amazon_S3_(FS-S3)_with_ingest_actions" rel="internal">Using federated search for Amazon S3 (FS-S3) with ingest actions</a></li> <li>Splunk Docs: <a title="https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest" href="https://docs.splunk.com/Documentation/Splunk/latest/Data/DataIngest" target="_blank" rel="external noopener nofollow" class="link-https">Ingest actions</a></li> <li>Splunk Docs: <a title="https://docs.splunk.com/Documentation/SplunkCloud/latest/FederatedSearch/fss3About" href="https://docs.splunk.com/Documentation/SplunkCloud/latest/FederatedSearch/fss3About" target="_blank" rel="external noopener nofollow" class="link-https">Federated Search for S3</a></li> <li>Splunk Docs: <a title="https://docs.splunk.com/Documentation/SVA/current/Architectures/IngestActions" href="https://docs.splunk.com/Documentation/SVA/current/Architectures/IngestActions" target="_blank" rel="external noopener nofollow" class="link-https">Ingest Actions Splunk Validated Architecture (SVA)</a></li> </ul> </div></div> </div> </div> <div class="mt-content-footer"> <p>&nbsp;</p> </div> <ol class="grape-meta-data grape-meta-article-navigation"> <li class="grape-back-to-top"><a class="mt-icon-back-to-top" href="#title" id="mt-back-to-top" title="Jump back to top of this article">Back to top</a></li> <li class="grape-article-pagination"><ul class="mt-article-pagination"> <li class="mt-pagination-previous"> <a class="mt-icon-previous-article" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Implementing_a_reingestion_pipeline_for_AWS_logs_using_Kinesis_Data_Firehose" title="Implementing a reingestion pipeline for AWS logs using Kinesis Data Firehose"><span>Implementing a reingestion pipeline for AWS logs using Kinesis Data Firehose</span></a> </li> <li class="mt-pagination-next"> <a class="mt-icon-next-article" href="https://lantern.splunk.com/Data_Descriptors/Amazon/Ingesting_VPC_flow_logs_into_Edge_Processor_via_Firehose_streams" title="Ingesting VPC flow logs into Edge Processor via Amazon Data Firehose"><span>Ingesting VPC flow logs into Edge Processor via Amazon Data Firehose</span></a> </li> </ul> </li> </ol> </div> </div> <div class="grape-footer grape-wrapper"> <div class="grape-wrapper-container"> <ol> <li class="grape-footer-copyright">&copy; Copyright 2024 Splunk Lantern</li> <li class="grape-footer-powered-by"><a href="https://mindtouch.com/demo" class="mt-poweredby product " title="MindTouch" target="_blank"> Powered by CXone Expert <span class="mt-registered">&reg;</span> </a></li> </ol> </div> </div> <div class="grape-footer-custom"> <div class="content-seperator-top"><p></p></div><div class="footer-wrapper"><footer><div class="footer-content-wrapper"><div class="footer-content-column"><div class="base-content"><div class="logo-container"><img src="/@api/deki/files/4014/Cisco-Splunk-Small-Transparent.png?origin=mt-web&lt;/div&gt;" alt="" /></div><div class="social-icon-container"><ul class="social-icon-list"><li class="social-icon-list-item"><a target="_blank" href="https://twitter.com/splunk" rel="external noopener nofollow" class="mt-icon-twitter4 link-https"></a></li><li class="social-icon-list-item"><a target="_blank" href="https://www.facebook.com/splunk" rel="external noopener nofollow" class="mt-icon-facebook6 link-https"></a></li><li class="social-icon-list-item"><a target="_blank" href="https://www.linkedin.com/company/splunk" rel="external noopener nofollow" class="mt-icon-linkedin2 link-https"></a></li><li class="social-icon-list-item"><a target="_blank" href="https://www.youtube.com/user/splunkvideos" rel="external noopener nofollow" class="mt-icon-youtube link-https"></a></li><li class="social-icon-list-item"><a target="_blank" href="https://www.instagram.com/splunk/" rel="external noopener nofollow" class="mt-icon-instagram3 link-https"></a></li></ul></div></div><div class="copyright-content"><p>&copy; 2005-2024 Splunk LLC All rights reserved.</p></div><div class="sitemap-content"><div class="sitemap-item"><a target="_blank" href="https://www.splunk.com/en_us/legal.html" rel="external noopener nofollow" class="link-https">Legal</a></div><div class="sitemap-item"><a target="_blank" href="https://www.splunk.com/en_us/legal/patents.html" rel="external noopener nofollow" class="link-https">Patents</a></div><div class="sitemap-item"><a target="_blank" href="https://www.splunk.com/en_us/legal/privacy/privacy-policy.html" rel="external noopener nofollow" class="link-https">Privacy</a></div><div class="sitemap-item"><a target="_blank" href="https://www.splunk.com/en_us/site-map.html" rel="external noopener nofollow" class="link-https">Sitemap</a></div><div class="sitemap-item"><a target="_blank" href="https://www.splunk.com/en_us/legal/terms/terms-of-use.html" rel="external noopener nofollow" class="link-https">Website Terms of Use</a></div></div></div></div></footer></div> <script type="text/javascript">/*<![CDATA[*/ const articleTitleContainer = document.querySelector(".elm-content-container header"); const articleTextContainer = document.querySelector("section.mt-content-container"); const sideNav = document.querySelector("aside.mt-content-side"); const burger = document.getElementById("side-nav-toggle-container"); function toggleSideNav() { articleTitleContainer.classList.toggle("side-nav-open"); articleTextContainer.classList.toggle("side-nav-open"); sideNav.classList.toggle("side-nav-open"); burger.classList.toggle("close"); } burger.addEventListener("click", toggleSideNav);/*]]>*/</script> <ol id="custom-classification-list" class="elm-meta-data elm-meta-bottom"></ol> <script type="text/javascript">/*<![CDATA[*/ document.addEventListener("DOMContentLoaded", function(event) { var pageTitle = document.getElementById("title"); var classifications = document.querySelector(".elm-classifications"); var listContainer = document.getElementById("custom-classification-list"); if (classifications) { var clone = classifications.cloneNode(true); listContainer.appendChild(clone); insertAfter(listContainer, pageTitle); var classificationsTop = document.querySelector("#custom-classification-list .elm-classifications"); var yesArr = classificationsTop.children; var check = checkClass(yesArr); console.log(check); if (check === 0) { listContainer.style.display = "none"; } else { listContainer.style.display = "block"; } } }); function insertAfter(newNode, existingNode) { existingNode.parentNode.insertBefore(newNode, existingNode.nextSibling); } function checkClass(arr) { var number = 0; for (var i =0; i < arr.length; i++) { var names = arr[i].classList; if (names[1].includes("mt-classification-technical-app-") || names[1].includes("mt-classification-technical-addon-") || names[1].includes("mt-classification-applied-product-")) { number++; } } return number; }/*]]>*/</script> </div> <script>/*<![CDATA[*/ dataLayer.push({"Pro_Member":seated}) /*]]>*/</script> <script>/*<![CDATA[*/ dataLayer.push({event:"Demandbase_Loaded"}); /*]]>*/</script> <script>/*<![CDATA[*/ /* * Hide default searchbar. * Show search bar only in default search page */ if (window.location?.pathname !== "/Special:Search") { const searchbarContainer = document.getElementsByClassName("elm-global-search"); if (searchbarContainer && searchbarContainer[0]) { searchbarContainer[0].replaceChildren(); } } /* * Set header background color to transparent * when user is in search page * In search page there is no search bar, then we can hide this header */ if (window.location?.pathname === "/Search") { const header = document.getElementsByClassName("elm-header-user-nav elm-nav"); if (header && header[0]) { header[0].style.backgroundColor = "transparent"; } } /*]]>*/</script> <script>/*<![CDATA[*/ /* * Render IT search bar component * Render in al locations different than new Search page */ if (window.location?.pathname !== "/Search") { const customThemeDefault = ` #sui-id-search-box-input-wrapper input { max-width: 100%; } `; const getSearchBarConfig = () => { return { env: "prod", language: "en", showSearchButton: false, searchBarRedirectUrl: "/Search", }; }; function renderSplunkSearchBarComponent() { const container = document.getElementById("ui-search-bar-container"); const headerContainer = document.getElementsByClassName("elm-global-search"); if (container) { const cc = document.createElement("wplt-search-bar-web-component"); cc.config = { ...getSearchBarConfig(), customTheme: customThemeDefault }; container.replaceChildren(cc); } if (headerContainer && headerContainer[0]) { const cc = document.createElement("wplt-search-bar-web-component"); cc.config = getSearchBarConfig(); headerContainer[0].replaceChildren(cc); } } } else { function renderSplunkSearchBarComponent() {} } /*]]>*/</script> <script defer="defer" onload="renderSplunkSearchBarComponent()" src="https://d38eume8qu1hmc.cloudfront.net/1.1.48/searchBar.js" type="text/javascript"></script> <script>/*<![CDATA[*/ /* * Render ITs Search component * Render only in search page */ if (window.location?.pathname === "/Search") { const getSearchConfig = () => { return { env: "prod", shouldClearFiltersOnNewSearch: false, language: "en", sideContentItems: "source_name_s,article_content_area_s,datePicker", analyticsConfig: { applicationName: "lantern", }, disclaimerSettings: { disableDisclaimer: true, }, initialFilters: [ { name: "source_name_s", value: ["Lantern"], type: "any", }, ], }; }; function renderSplunkSearchComponent() { const container = document.getElementById("ui-search-container"); if (container) { const cc = document.createElement("wplt-search-web-component"); cc.config = getSearchConfig(); container.replaceChildren(cc); } } } else { function renderSplunkSearchComponent() {} } /*]]>*/</script> <script defer="defer" onload="renderSplunkSearchComponent()" src="https://d38eume8qu1hmc.cloudfront.net/1.1.48/search.js" type="text/javascript"></script> <style>/*<![CDATA[*/ .elm-global-search { width: 50%; } /*]]>*/</style> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10