Using Splunk App for AWS (v5.0.0) and Splunk Add-On for Amazon Web Services (v4.1.2), we have configured a "CloudWatch Logs" input against a specific log group in our AWS account. The log group is a sort of catch-all, being populated with various log entries coming from an application. The input was configured with a sourcetype of "aws:cloudwatchlogs", but we are seeing no data for that sourcetype.
We also found that by default, the stream matching regex was set to "eni.*", which would be correct for VPC Flow Logs -- so we changed this to be simply ".*" using the Splunk Add-On for Amazon Web Services (the stream matching regex is not a configuration option in the Splunk App for AWS itself) -- to no avail. We still are not getting any entries with the sourcetype of "aws:cloudwatchlogs".
Which log file or files can we check in to further diagnose the issue here? Any other advice to try to determine why these entries are seemingly not being indexed?