Using Splunk App for AWS (v5.0.0) and Splunk Add-On for Amazon Web Services (v4.1.2), we have configured a "CloudWatch Logs" input against a specific log group in our AWS account. The log group is a sort of catch-all, being populated with various log entries coming from an application. The input was configured with a sourcetype of "aws:cloudwatchlogs", but we are seeing no data for that sourcetype.

We also found that by default, the stream matching regex was set to "eni.*", which would be correct for VPC Flow Logs -- so we changed this to be simply ".*" using the Splunk Add-On for Amazon Web Services (the stream matching regex is not a configuration option in the Splunk App for AWS itself) -- to no avail. We still are not getting any entries with the sourcetype of "aws:cloudwatchlogs".

Which log file or files can we check in to further diagnose the issue here? Any other advice to try to determine why these entries are seemingly not being indexed?

Thanks.