Collect logs from all new CloudWatch Log Groups in...

HasterHerman · ‎10-13-2025

Hi everyone,

I’m currently collecting AWS CloudWatch logs from multiple accounts into a centralized logging account. However, new Log Groups are periodically created.

Is there a way to configure the Splunk Add-on for AWS so that it automatically collects logs from all existing and newly created CloudWatch Log Groups without having to manually add each one?

Any best practices or configuration tips would be greatly appreciated.

Thanks in advance!

thahir · ‎10-15-2025

Hi @HasterHerman

My suggestion is try to use the Generic S3 input in the Splunk Add-on for AWS, you can ingest logs collected from multiple AWS accounts sent to a central S3 bucket. The S3 bucket typically contains logs from different accounts and different CloudWatch log groups, organized via the S3 key/prefix convention (such as AWSLogs/<AccountID>/<log-group-name>/...). This allows you to pull and distinguish logs from various groups and accounts.

Collect logs from all new CloudWatch Log Groups in AWS Add-on for Splunk?

administration

configuration

troubleshooting

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?