This is in regards to the Splunk ADD On for AWS:
Immediately after downloading and configuring to connect to our AWS Account, I receive this error immediately when using the Splunk AWS Add-on Dashboard:
The search for datamodel 'CloudFront_Access_Log' failed to parse, cannot get indexes to search
Not sure if it was a permissions issue so I set the permissions on the datamodel to global but it didn't help. I've read somewhere someone had a similar problem and was resolved by "expanding the datamodel macros". Could this help in this case and if so, where should I go to do this?
1. Make the app 'Splunk App for AWS' visible to all.
2. Also, check whether the lookup table 'cloudfront_edges' is populated. If not, run/schedule the report - 'AWS Description - CloudFront Edges '
It could be macro issue. Please check macro "aws-s3-index" in AWS App. Does it have all indexes you used for CloudFront access logs?
I also recommend you to upgrade to app v5.1 and add-on v4.4.