Dear Team,

This is my setup for analyzing log from S3:

1 - splunk enterprise 8.1 for standalone VM.

2 - S3 IAM role for bucket with logs.

3 - I installed Splunk Add-on for AWS

4 - for first run, everything is okay. However, i shutdown the VM, and increased the RAM for this VM. and here the problem start:

Query from the health Check:

Index=“_internal”  (host=“*”)   (sourcetype=aws:s3:log OR sourcetype=aws:logs:log OR sourcetype=aws:sqsbaseds3:log OR sourcetype=aws:description:log OR sourcetype=aws:cloudwatch:log)   (datainput=“*”)   level=ERROR                  message=“Failed to collect data through generic S3.” | fillnull value=“” ErrorCode, ErrorDetail                 | eval ErrorDetail = if((ErrorDetail == “” or ErrorDetail == “‘’“) and !isnull(message), message, ErrorDetail)

Response:

2020-10-24 01:23:18,036 level=ERROR pid=25464 tid=Thread-7 logger=splunk_ta_aws.modinputs.generic_s3.aws_s3_data_loader pos=aws_s3_data_loader.py:index_data:91 | datainput=“bucket-log” bucket_name=“logs-storage” | message=“Failed to collect data through generic S3.” start_time=1603473783 job_uid=“f852cf4b-f1fe-4197-bf93-3494f3d2adb7"
Traceback (most recent call last):
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 86, in index_data
    self._do_index_data()
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 107, in _do_index_data
    self.collect_data()
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 153, in collect_data
    self._discover_keys(index_store)
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_data_loader.py”, line 233, in _discover_keys
    for key in keys:
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_common.py”, line 227, in get_keys
    for key in keys:
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_common.py”, line 196, in bucket_lister
    encoding_type=encoding_type)
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/solnlib/utils.py”, line 172, in wrapper
    raise last_ex
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/solnlib/utils.py”, line 159, in wrapper
    return func(*args, **kwargs)
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/generic_s3/aws_s3_common.py”, line 186, in get_all_keys
    encoding_type=encoding_type)
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/boto/s3/bucket.py”, line 474, in get_all_keys
    ‘’, headers, **params)
  File “/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/python3/boto/s3/bucket.py”, line 412, in _get_all
    response.status, response.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 400 Bad Request
<?xml version=“1.0" encoding=“UTF-8”?>
<Error><Code>ExpiredToken</Code><Message>The provided token has expired.</Message><Token-0>xxxx</Token-0><RequestId>aaaaaaa</RequestId><HostId>Ibbbbb</HostId></Error>

I would like to know what the root cause of this? and how to fix it?