I just configured an input for my Cost and Usage data in the Splunk Add-On for AWS. It brought in loads of billing data from S3, but only used an event_type of "aws_billing_report", therefore none of the saved searches are working, since they are all looking for event_types of "aws_billing_monthly_report" or "aws_billing_detail_report" per this article:

https://docs.splunk.com/Documentation/AddOns/released/AWS/AccessBillingReportdata#Event_types_for_bi....

I had set this up in another account a year or so ago and it sourced the data from the .csv files at the root of the bucket (ex: s3://xxx-aws-consolidated-billing/5433816xxxxx-aws-cost-allocation-2019-09.csv)

This time it's using the g-zipped version of the file (ex: s3://xxx-aws-consolidated-billing/cost-and-usage/cost_and_usage_reports/20190701-20190801/cdf624e4-d75c-4f02-ad8b-e0df9bab9cec/cost_and_usage_reports-2.csv.gz ). Not sure if this is related or not.

I have reconfigured the input with the following settings, but it's not bringing in any new data:

Index = aws
Interval (in seconds) = 86400
Name = AWS-BILLING
Report Name Pattern = \d+-aws-billing-detailed-line-items-….-\d+.csv.zip|\d+-aws-cost-allocation-….]-\d+.csv
Report Prefix = AWS Bill -
S3 Bucket = xxx-aws-consolidated-billing
Source Type = aws:billing:cur
Start Date = 2019-06
Temp Folder = N/A

Any assistance is appreciated.