All Apps and Add-ons

Splunk App for AWS - AWS Config

Explorer

Hey all,
I'm trying to setup AWS Config input for "Splunk App for AWS", all of the inputs are set on "Splunk Add-On for AWS", including AWS Config -> SQS based S3.

sourcetype is "aws:config", and I can search for this sroucetype, data seems to parse in the right way.

I received the following message while trying to access the dashboard under "Insights -> Config Rules"

"Some panels may not be displayed correctly because the following inputs have not been configured: Config Rule"

Thanks!

Splunk Employee
Splunk Employee

That error message is a legacy component to the older AWS App. If you go under Configure in the Splunk App for AWS, you can uncheck the settings and it will remove those alerts. This was when we had the App communicating with the HF to make sure the modular inputs were being correctly setup. Today, that functionality has been removed.

0 Karma

Path Finder

What version of the App are you running? Just so I can make sure I'm not speaking on anything in the newer version which may not be in a version you are using.

Also, was this a new install? Or an upgrade?

-Dustin

0 Karma

Explorer

Hey Dustin, it is Splunk Cloud server 7.1.3.3

Splunk Add-on for AWS SplunkTAaws 4.6.0
Splunk App for AWS splunkappaws 5.1.1

Yes, If I searching for:
sourcetype=aws:config:rule
there is data...

0 Karma

Path Finder

I ask about the region, because here on the support page (https://docs.splunk.com/Documentation/AddOns/released/AWS/Config) for the add-on which speaks about doing the exact install you wish, including going from AWS Config --> SQS S3, at the top of the page there is a link which specifically notes that the function has limitations based on the region in which the services are located, specific to Config Inputs.

0 Karma

Explorer

The region is supported. I can see the Config data on Splunk Search.

see attached screenshot:
https://imgur.com/a/JVRrJ4X

0 Karma

Path Finder

Also, what AWS regions are your data residing in that you are seeing this? I've found a support article that indicates there are some restrictions on Configuration Rules based on the region in which the AWS instance resides.

Also, if you search sourcetype=aws:config:rule do you get any results?

0 Karma

Explorer

not sure region is related, all other data is there (cloudtrail, guardduty,flowlogs, cloudwatch..)

0 Karma