All Apps and Add-ons

I configured the Splunk App for AWS with a new Cloudtrail input, but why are SQS queues not showing up in the drop-down?

amirh2
Engager

I've followed the steps on the page: "New Input: CloudTrail"
I'm receiving Cloudtrail logs in the SQS queue. I've granted the AWS user account used by Splunk AmazonSQSReadOnlyAccess, but when I go to configure the input, the drop-down for "SQS queue" doesn't show any queues.

The AWS policy doc has

  "Action": [
    "sqs:GetQueueAttributes",
    "sqs:ListQueues"
  ],

So I'm not sure why the Splunk App for AWS isn't showing anything. Did anyone experience this?

Thanks.

rrich
Explorer

There's a bug in the code. I haven't tested it completely, but on or about line 152 of $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.py, you'll see something like:

for topic_name in topics:

make a backup of the file and change it to

if topic_name:

Then remove $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.pyc (note the trailing c) and try again.

"/opt/splunk/etc/apps/splunk_app_aws/bin/aws/aws_utils.py" line 154 of 693 --22%-- col 13

doug_hall
Explorer

I had the same problem, this fixed it for me. I'm running Splunk App for AWS v4.2.1.

0 Karma

dmckean
Engager

Running SplunkCloud here as well. This really needs to be fixed, as it severely impacts Splunk's key feature of log ingestion and parsing. Plus it's embarrassing for me to be telling my boss "why isn't it fixed yet" and pull out a lame excuse of "it's a Splunk issue"... and the comeback of "If Splunk is flaky like this, why did spend thousands on it?"

0 Karma

amirh2
Engager

Thanks! I'm running Splunk Cloud, so not sure how I go about doing that change (if at all possible)

0 Karma

joehealy
New Member

I am having the same problem on Splunk Cloud with trying to configure Config and Cloudtrail ingestion via SQS. It is not a permission issue.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...