Hi I know this is quite old thread. However, Now I'm suing Add-on for Amazon Web Services version 5.0.0. I have ingested ELB logs as described in https://docs.splunk.com/Documentation/AddOns/released/AWS/IncrementalS3.

Now I could see the logs are being ingested. However, those events still no parsing. still I could see only the raw logs. I have added the props.conf as you shows above, still the issue is same. 

Am I missing something else? 

@rarsan_splunk I am curious if you are sending the ALB log unzipped to the HEC as raw and letting the events in the file get indexed that way, or using the lambda to send each line as a log event to the HEC.

Yes, Lambda function would take care of uncompressing the ALB logs, parsing each line, and send the raw line events in batches to HEC. Here's a snippet of a working code, where logger is a simple HEC client library you can find from Splunk Lambda blueprints in AWS Lambda console, and payload is the retrieved log.gz file from s3.

 zlib.gunzip(payload, (err, result) => {
    if (err) {
        console.log(err);
        callback(err);
    } else {
        const parsed = result.toString('ascii');
        const logEvents = parsed.split("\n");
        let count = 0, time;
        if (logEvents) {
            logEvents.forEach((event) => {
                if (event) {
                    // Extract timestamp as 2nd field in log entry
                    // For more details: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#ac...
                    time = event.split(' ')[1];
                    // Forward with source-specified timestamp
                    // (optional 'context' arg used to add Lambda metadata e.g. awsRequestId, functionName)
                    logger.logWithTime(time, event, context);
                    count += 1;
                }
            });
            console.log(`Processed ${count} log entries`);
        }

        logger.flushAsync((err, response) => {
            if (err) {
                callback(err);
            } else {
                console.log(`Response from Splunk:\n${response}`);
                callback(null, count); // Echo number of events forwarded
            }
        });
    }
})

Hi I am with Splunk-TA-AWS 4.4, but I can see any option for [aws:alb:accesslogs] when using the Web UI to onboard new alb logs? I can't find a stanza in the props.conf either? How do we onboard alb access logs?

I have asked engineering and in add-on version 4.4 ALB is indeed supported. The sourcetype keep being called "aws:elb:accesslogs" however, so both CLB, ALB & ELB are all under aws:elb:accesslogs

Thanks ytenenbaum,

Yes, I did use sourcetype 'aws:elb:accesslogs', for our alb logs. Field extraction work fine.

I checked the props.conf in default, found the field extraction is actually using source instead of using sourcetype. That explains why... See below for the configurations

Application Load Balancer

[source::...(/|\)\d+elasticloadbalancing.log.gz]
EXTRACT-elb = ^\s(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[0-9.]+):(?P\d+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[\d-]+)\s+(?P[\d-]+)\s+(?P\d+)\s+(?P\d+)\s+"(?P.+)"\s+"(?P.+)"\s+(?P[-\w]+)\s*(?P[-\w.]+)\s+(?P[^\s]+)\s+(?P[^\s]+)
EVAL-rtt = request_processing_time + target_processing_time + response_processing_time

I found this helpful, I think. Point added. We are also looking to start ingesting ALB logs. I know that with ELB access logs we had to set the "Incremental Log" type in the config web wizard, and I don't think the incremental log option shows up unless you set the sourcetype to elb:accesslogs. Will I just have to set whatever the incremental log option is in one of the config on my collection node?

May i ask if we are using incr-s3 or generic s3 to do elb log collection. Please try increment S3

• ALB is not yet supported, but it is coming in a future version
• Incremental currently supports only 4 different types of data, so setting the sourcetype to something unsupported will not help, unless you create the props/transforms by yourself