https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747809#M29527 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/269896">@zksvc</a>&nbsp;</P><P>It looks like the inputs are polling AWS Cloudwatch too frequently, which is giving your Rate Limit exception.&nbsp;</P><P>If you have just set this up then it will be trying to pull logs back from whatever the&nbsp;<SPAN>only_after date you set was (see&nbsp;<A href="https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/" target="_blank">https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/</A>&nbsp;for input config descriptions)</SPAN></P><P><SPAN>If you left this field blank then I believe it tries to load all the events in the Cloudwatch logs group in AWS. Ultimately it looks like its repeatedly querying CW Logs to get more logs which is why it is hitting the rate limit. The number of polls to CW Logs will reduce once it has caught up to the current date. It might be worth enabling one at a time to allow them to catch up gradually.</SPAN></P><P>If you do not need the historic data then I would suggest cloning the inputs and setting the&nbsp;<SPAN>only_after date to a recent date and then deleting the old input. I dont think it is possible to change the&nbsp;only_after once created because of how the checkpoint of the current date/time is recorded, but I may be wrong here.</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 11 Jun 2025 11:09:25 GMT livehybrid 2025-06-11T11:09:25Z https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747808#M29526 <P>Hi Everyone,&nbsp;</P><P>I encountered an error while ingesting sourcetype=aws:cloudtrails in AWS Apps. I attempted to ingest data from the following sources: aws:waflogs, aws:network-firewall-log, aws:cloudtrails, aws:securityhub-log-group. However, upon checking, only aws:waflogs and aws:network-firewall-log were ingested. Attached below are the errors from the logs.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zksvc_0-1749639515584.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39343i78CABA4448C46815/image-size/medium?v=v2&amp;px=400" role="button" title="zksvc_0-1749639515584.png" alt="zksvc_0-1749639515584.png" /></span></P><P>Also i screenshot inputs config from the apps side here :&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zksvc_2-1749639584109.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39345i602405CA493B628E/image-size/medium?v=v2&amp;px=400" role="button" title="zksvc_2-1749639584109.png" alt="zksvc_2-1749639584109.png" /></span></P><P>Last i show you the proof if i only received that 2 sourctypes here :&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zksvc_3-1749639668960.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39346i25F6B00C73350D11/image-size/medium?v=v2&amp;px=400" role="button" title="zksvc_3-1749639668960.png" alt="zksvc_3-1749639668960.png" /></span></P><P>&nbsp;</P><P>If you have any experience from this issue, please give me the answer.&nbsp;</P><P>&nbsp;</P><P>Danke,</P><P>&nbsp;</P><P>Zake</P><P>&nbsp;</P> Wed, 11 Jun 2025 11:01:48 GMT https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747808#M29526 zksvc 2025-06-11T11:01:48Z https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747809#M29527 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/269896">@zksvc</a>&nbsp;</P><P>It looks like the inputs are polling AWS Cloudwatch too frequently, which is giving your Rate Limit exception.&nbsp;</P><P>If you have just set this up then it will be trying to pull logs back from whatever the&nbsp;<SPAN>only_after date you set was (see&nbsp;<A href="https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/" target="_blank">https://splunk.github.io/splunk-add-on-for-amazon-web-services/CloudWatchLogs/</A>&nbsp;for input config descriptions)</SPAN></P><P><SPAN>If you left this field blank then I believe it tries to load all the events in the Cloudwatch logs group in AWS. Ultimately it looks like its repeatedly querying CW Logs to get more logs which is why it is hitting the rate limit. The number of polls to CW Logs will reduce once it has caught up to the current date. It might be worth enabling one at a time to allow them to catch up gradually.</SPAN></P><P>If you do not need the historic data then I would suggest cloning the inputs and setting the&nbsp;<SPAN>only_after date to a recent date and then deleting the old input. I dont think it is possible to change the&nbsp;only_after once created because of how the checkpoint of the current date/time is recorded, but I may be wrong here.</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 11 Jun 2025 11:09:25 GMT https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747809#M29527 livehybrid 2025-06-11T11:09:25Z https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747810#M29528 <P>Thanks for your reply,&nbsp;<BR /><SPAN>I will try to change the interval time to 600 seconds first.&nbsp;</SPAN></P> Wed, 11 Jun 2025 11:16:13 GMT https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747810#M29528 zksvc 2025-06-11T11:16:13Z https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747858#M29529 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp; I have changed the interval to 600 seconds, but the data is still not available. Is there any other solution that you know?</P> Thu, 12 Jun 2025 01:51:41 GMT https://community.splunk.com/t5/Deployment-Architecture/Error-Ingest-Data-AWS-Cloudtrail-quot-error-Traceback-most/m-p/747858#M29529 zksvc 2025-06-12T01:51:41Z