All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

AWS Config snapshots missing

workiswerk
Explorer
‎09-20-2018 05:06 PM

Currently my Splunk index only has aws:config:rule and aws:config:notification events. There are no aws:config snapshot events, so the topology feature doesn't work. I have set up the old Config input that takes in an SQS per region. Every Config service in every other account has its delivery channel send to a central SNS in the same region, which then sends to the SQS that Splunk queries.

The dev manager of the AWS app said

The initial inventory get populated by
triggering a AWS Config Snapshot. When
you add a Config input, the snapshot
will be triggered automatically,
unless your IAM user don't have such
permission.

(see https://answers.splunk.com/answers/337327/splunk-app-for-aws-will-my-current-configuration-f.html answer).

My IAM user has the proper permission (config:DeliverConfigSnapshot). But no snapshot was triggered or imported. I even manually triggered a Config snapshot via the CLI as recommended in https://answers.splunk.com/answers/378001/aws-app-description-vs-config.html, but that did not do anything.

For context, I also have some Config Rule inputs set up beforehand that I did not touch during this whole process.

Thoughts on how I can get my Splunk app to populate with aws:config events??

0 Karma
Reply

workiswerk
Explorer
‎09-24-2018 02:51 PM

Update: gave up on this, manually imported Config snapshots with HEC.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...