A company plans to provision a log delivery stream within a VPC. The company configured the VPC flow logs to publish to Amazon CloudWatch Logs. The company needs to send the flow logs to Splunk in near real time for further analysis.
Which solution will meet these requirements with the LEAST operational overhead?
To send VPC flow logs to Splunk in near real-time with minimal operational overhead, the best solution is to create an Amazon Kinesis Data Firehose delivery stream with Splunk as the destination and use a CloudWatch Logs subscription filter to send log events to this delivery stream. Amazon Kinesis Data Firehose has built-in support for Splunk, simplifying the integration process and eliminating the need for additional components like AWS Lambda functions or custom integrations. This approach streamlines the data flow and reduces management complexity compared to using Kinesis Data Streams or additional Lambda functions.
Kinesis Data Firehose has built-in support for Splunk as a destination, making the integration straightforward. Using a CloudWatch Logs subscription filter directly to Firehose simplifies the data flow, eliminating the need for additional Lambda functions or custom integrations.
Creating an Amazon Kinesis Data Firehose delivery stream to use Splunk as the destination and creating a CloudWatch Logs subscription filter to send log events to the delivery stream would meet these requirements with the least operational overhead. Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics services. It can capture, transform, and deliver streaming data to Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, generic HTTP endpoints, and service providers like Splunk. CloudWatch Logs subscription filters allow you to send real-time log events to Kinesis Data Firehose and are ideal for scenarios where you want to forward the logs to other services for further analysis. Options A and D involve Kinesis Data Streams, which would require additional management and operational overhead. Option C involves creating a Lambda function, which also adds operational overhead. Therefore, option B is the best choice.