All Apps and Add-ons

AWS ADD on ERROR: The search for datamodel 'CloudFront_Access_Log' failed to parse, cannot get indexes to search

This is in regards to the Splunk ADD On for AWS:
Immediately after downloading and configuring to connect to our AWS Account, I receive this error immediately when using the Splunk AWS Add-on Dashboard:

The search for datamodel 'CloudFront_Access_Log' failed to parse, cannot get indexes to search

Not sure if it was a permissions issue so I set the permissions on the datamodel to global but it didn't help. I've read somewhere someone had a similar problem and was resolved by "expanding the datamodel macros". Could this help in this case and if so, where should I go to do this?

Any thoughts?

Thanks!

AlexW

0 Karma

Motivator

1. Make the app 'Splunk App for AWS' visible to all.

jawaharas_0-1601889835622.png

2. Also, check whether the lookup table 'cloudfront_edges' is populated. If not, run/schedule the report - 'AWS Description - CloudFront Edges '

0 Karma

Splunk Employee
Splunk Employee

It could be macro issue. Please check macro "aws-s3-index" in AWS App. Does it have all indexes you used for CloudFront access logs?
I also recommend you to upgrade to app v5.1 and add-on v4.4.

0 Karma

Path Finder

I am also seeing this error. Were you able to figure it out?

0 Karma