https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213362#M22938 <P>@mwiora - it's possible that the images are not loading on your end due to their size. Here's a direct <A href="http://blogs.splunk.com/wp-content/uploads/2017/02/2.-Configure-Lambda-env-vars-and-role.png">link</A> to one of the images for example.</P> <P>Best place to investigate is usually your browser console. Otherwise, try clearing your cache and refresh.</P> Tue, 07 Feb 2017 16:58:49 GMT rarsan_splunk 2017-02-07T16:58:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213356#M22932 <P>I'm configuring the Splunk Add-on for Amazon Web Services and want to forward CloudWatch logs into Splunk. I can do this if I know the exact loggroup name in CloudWatch logs however if the lambda function is created using CloudFormation it creates a dynamic name with an ID in the loggroup. How can I tell Splunk to look for CloudWatch log groupnames using regex?</P> <P>I'm configuring using this file: aws_cloudwatch_logs_tasks.conf:</P> <PRE><CODE>[direct data wildcard] account = splunk-aws-lob-npd delay = 1800 groups = /aws/lambda/directdata-dev.* index = default interval = 60 only_after = 1970-01-01T00:00:00 region = us-east-1 sourcetype = aws:cloudwatchlogs:directdatawildcard stream_matcher = .* </CODE></PRE> Tue, 29 Sep 2020 11:09:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213356#M22932 a263534 2020-09-29T11:09:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213357#M22933 <P>I don't think you can. I tried almost every combination as well and wasn't able to do it myself. I ended resorting to this <CODE>aws logs describe-log-groups --output text --query 'logGroups[*].[logGroupName]' |tr '\n' ','</CODE> . This however leads to other issues where a large amount of log_groups can cause ThrottlingExceptions</P> Tue, 04 Oct 2016 20:31:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213357#M22933 lcasey001 2016-10-04T20:31:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213358#M22934 <P>Thank you - yeah I ended up opening a case w\ splunk and they are aware of this issue and it will be added in a future release. I also created a script that used aws CLI but I'm pulling directly from the list of lambda functions to only get the most current CW log groups which is helping with throttling. </P> Thu, 06 Oct 2016 16:41:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213358#M22934 a263534 2016-10-06T16:41:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213359#M22935 <P>To avoid CloudWatch Logs API throttling issues due to polling, you may want to consider the near real-time streaming of CloudWatch Logs into Splunk via Lambda (i.e. <STRONG>CloudWatch Logs</STRONG> --&gt; <STRONG>Lambda</STRONG> --&gt; <STRONG>Splunk</STRONG>) as explained in this blog post:<BR /> <A href="http://blogs.splunk.com/2017/02/03/how-to-easily-stream-aws-cloudwatch-logs-to-splunk/">http://blogs.splunk.com/2017/02/03/how-to-easily-stream-aws-cloudwatch-logs-to-splunk/</A></P> <P>To help with automation, these Lambda functions, acting as logs forwarders, could even be created along with your original logs-producing Lambda functions (or other AWS services) within the same CloudFormation template.</P> Mon, 06 Feb 2017 04:33:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213359#M22935 rarsan_splunk 2017-02-06T04:33:50Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213360#M22936 <P>Hi rarsan,</P> <P>this seems to be your blogpost.<BR /> Could you please have a look on the image-issues?</P> <P>Cheers and thanks in advance,<BR /> µatthias</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1909i5B91CF60FDA907F0/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 07 Feb 2017 16:43:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213360#M22936 mwiora 2017-02-07T16:43:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213361#M22937 <P>Hi a263534,</P> <P>can you share your script? It would be a great help!<BR /> Cheers,<BR /> µatthias</P> Tue, 07 Feb 2017 16:52:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213361#M22937 mwiora 2017-02-07T16:52:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213362#M22938 <P>@mwiora - it's possible that the images are not loading on your end due to their size. Here's a direct <A href="http://blogs.splunk.com/wp-content/uploads/2017/02/2.-Configure-Lambda-env-vars-and-role.png">link</A> to one of the images for example.</P> <P>Best place to investigate is usually your browser console. Otherwise, try clearing your cache and refresh.</P> Tue, 07 Feb 2017 16:58:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213362#M22938 rarsan_splunk 2017-02-07T16:58:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213363#M22939 <P>@rarsan yeah - thanks for the fast reply!<BR /> It turned out that blogs.spunk.com has been provided with a SHA1 signed Certificate and you included the pictures by using HTTPS (probably by default).</P> <P>As of Google Chrome 56.0.2924.87 does not recognize SHA1 signed Certificates as secure, the images are not displayed - yay <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> <P><A href="https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html">https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html</A></P> <P>Splunk should take action and update their certificates - especially, since this is the main wildcard-certificate <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 07 Feb 2017 17:20:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213363#M22939 mwiora 2017-02-07T17:20:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213364#M22940 <P>Thanks @mwiora. I've reported this to our web dev team.<BR /> You're right, the explicit https was default behavior. I've also updated the images sources to follow page protocol. </P> Tue, 07 Feb 2017 23:12:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Amazon-Web-Services-How-can-I-configure-Splunk/m-p/213364#M22940 rarsan_splunk 2017-02-07T23:12:22Z