Hi
I have tried to follow the setup guide for creating inputs and cloudtrail and was-config are working great now. However, I cannot get any data into Splunk from cloudwatch. Usual suspects such as IAM permissions etc are all verified (and working for the other services)
index = _internal source=*aws_cloudwatch*
Just shows repeated messages of....
2015-08-03 21:42:01,743 INFO pid=20635 tid=MainThread file=aws_cloudwatch.py:stream_events:978 | query work queued = 0, deferred = 0 , scan_time = 0.000s
I suspect my config around metric_dimensions isn't quite right, but the docs are a little vague on this. I wanted to capture information from any instance in my (small) account, but even setting to a specific Instance ID, I still get no data and my cloudwatch index is reported as empty. (config below)
It's driving me mad now and although I can find a few people reporting the same problem, I can't see any posted answers.
Any help appreciated.
[aws_cloudwatch]
aws_account = xxxxxxxxxxxxxxx
aws_region = eu-west-1
metric_namespace = AWS/EC2
metric_names = ["CPUUtilization","DiskReadOps","StatusCheckFailed_System"]
metric_dimensions = [{"InstanceId":"i-e42a8aa9", "Region":"eu-west-1"}]
statistics = ["Average","Maximum","Minimum","Sum"]
period = 60
polling_interval = 60
sourcetype = aws:cloudwatch
queueSize = 128KB
persistentQueueSize = 24MB
interval = 30
index = aws-cloudwatch
that log says it's getting into the queue okay, but not finding anything there. Can you look at the queue from Amazon's management page and see if there are messages?