1.Did you set up the input as an sqs input or generic s3/etc/?
2.Are you sure the elb is a classic elb or an alb ?
(sourcetype=aws:alb:accesslogs -> will have to be typed into the sourcetype field as not auto-populated)
3. Check your Splunk User Credentials allow you to pull the logs. (IAM USER ON AWS)