- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk App for AWS - AWS Config
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for AWS - AWS Config
Hey all,
I'm trying to setup AWS Config input for "Splunk App for AWS", all of the inputs are set on "Splunk Add-On for AWS", including AWS Config -> SQS based S3.
sourcetype is "aws:config", and I can search for this sroucetype, data seems to parse in the right way.
I received the following message while trying to access the dashboard under "Insights -> Config Rules"
"Some panels may not be displayed correctly because the following inputs have not been configured: Config Rule"
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That error message is a legacy component to the older AWS App. If you go under Configure in the Splunk App for AWS, you can uncheck the settings and it will remove those alerts. This was when we had the App communicating with the HF to make sure the modular inputs were being correctly setup. Today, that functionality has been removed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of the App are you running? Just so I can make sure I'm not speaking on anything in the newer version which may not be in a version you are using.
Also, was this a new install? Or an upgrade?
-Dustin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dustin, it is Splunk Cloud server 7.1.3.3
Splunk Add-on for AWS Splunk_TA_aws 4.6.0
Splunk App for AWS splunk_app_aws 5.1.1
Yes, If I searching for:
sourcetype=aws:config:rule
there is data...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ask about the region, because here on the support page (https://docs.splunk.com/Documentation/AddOns/released/AWS/Config) for the add-on which speaks about doing the exact install you wish, including going from AWS Config --> SQS S3, at the top of the page there is a link which specifically notes that the function has limitations based on the region in which the services are located, specific to Config Inputs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The region is supported. I can see the Config data on Splunk Search.
see attached screenshot:
https://imgur.com/a/JVRrJ4X
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, what AWS regions are your data residing in that you are seeing this? I've found a support article that indicates there are some restrictions on Configuration Rules based on the region in which the AWS instance resides.
Also, if you search sourcetype=aws:config:rule do you get any results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure region is related, all other data is there (cloudtrail, guardduty,flowlogs, cloudwatch..)
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
