All Apps and Add-ons

Splunk App for AWS - AWS Config

abovebeyond18
Explorer

Hey all,
I'm trying to setup AWS Config input for "Splunk App for AWS", all of the inputs are set on "Splunk Add-On for AWS", including AWS Config -> SQS based S3.

sourcetype is "aws:config", and I can search for this sroucetype, data seems to parse in the right way.

I received the following message while trying to access the dashboard under "Insights -> Config Rules"

"Some panels may not be displayed correctly because the following inputs have not been configured: Config Rule"

Thanks!

amiracle
Splunk Employee
Splunk Employee

That error message is a legacy component to the older AWS App. If you go under Configure in the Splunk App for AWS, you can uncheck the settings and it will remove those alerts. This was when we had the App communicating with the HF to make sure the modular inputs were being correctly setup. Today, that functionality has been removed.

0 Karma

deastman
SplunkTrust
SplunkTrust

What version of the App are you running? Just so I can make sure I'm not speaking on anything in the newer version which may not be in a version you are using.

Also, was this a new install? Or an upgrade?

-Dustin

0 Karma

abovebeyond18
Explorer

Hey Dustin, it is Splunk Cloud server 7.1.3.3

Splunk Add-on for AWS Splunk_TA_aws 4.6.0
Splunk App for AWS splunk_app_aws 5.1.1

Yes, If I searching for:
sourcetype=aws:config:rule
there is data...

0 Karma

deastman
SplunkTrust
SplunkTrust

I ask about the region, because here on the support page (https://docs.splunk.com/Documentation/AddOns/released/AWS/Config) for the add-on which speaks about doing the exact install you wish, including going from AWS Config --> SQS S3, at the top of the page there is a link which specifically notes that the function has limitations based on the region in which the services are located, specific to Config Inputs.

0 Karma

abovebeyond18
Explorer

The region is supported. I can see the Config data on Splunk Search.

see attached screenshot:
https://imgur.com/a/JVRrJ4X

0 Karma

deastman
SplunkTrust
SplunkTrust

Also, what AWS regions are your data residing in that you are seeing this? I've found a support article that indicates there are some restrictions on Configuration Rules based on the region in which the AWS instance resides.

Also, if you search sourcetype=aws:config:rule do you get any results?

0 Karma

abovebeyond18
Explorer

not sure region is related, all other data is there (cloudtrail, guardduty,flowlogs, cloudwatch..)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...