All Apps and Add-ons

Splunk App and Add-on for AWS: How to resolve CloudWatch Logs input that are not being ingested?

Engager

Using Splunk App for AWS (v5.0.0) and Splunk Add-On for Amazon Web Services (v4.1.2), we have configured a "CloudWatch Logs" input against a specific log group in our AWS account. The log group is a sort of catch-all, being populated with various log entries coming from an application. The input was configured with a sourcetype of "aws:cloudwatchlogs", but we are seeing no data for that sourcetype.

We also found that by default, the stream matching regex was set to "eni.*", which would be correct for VPC Flow Logs -- so we changed this to be simply ".*" using the Splunk Add-On for Amazon Web Services (the stream matching regex is not a configuration option in the Splunk App for AWS itself) -- to no avail. We still are not getting any entries with the sourcetype of "aws:cloudwatchlogs".

Which log file or files can we check in to further diagnose the issue here? Any other advice to try to determine why these entries are seemingly not being indexed?

Thanks.

1 Solution

Engager

Seems that upgrading to the latest versions of both the Splunk App and the AWS Add-on has resolved this issue.

View solution in original post

Engager

Seems that upgrading to the latest versions of both the Splunk App and the AWS Add-on has resolved this issue.

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!