I'm trying to setup AWS Config input for "Splunk App for AWS", all of the inputs are set on "Splunk Add-On for AWS", including AWS Config -> SQS based S3.
sourcetype is "aws:config", and I can search for this sroucetype, data seems to parse in the right way.
I received the following message while trying to access the dashboard under "Insights -> Config Rules"
"Some panels may not be displayed correctly because the following inputs have not been configured: Config Rule"
That error message is a legacy component to the older AWS App. If you go under Configure in the Splunk App for AWS, you can uncheck the settings and it will remove those alerts. This was when we had the App communicating with the HF to make sure the modular inputs were being correctly setup. Today, that functionality has been removed.
What version of the App are you running? Just so I can make sure I'm not speaking on anything in the newer version which may not be in a version you are using.
Also, was this a new install? Or an upgrade?
Hey Dustin, it is Splunk Cloud server 220.127.116.11
Splunk Add-on for AWS SplunkTAaws 4.6.0
Splunk App for AWS splunkappaws 5.1.1
Yes, If I searching for:
there is data...
I ask about the region, because here on the support page (https://docs.splunk.com/Documentation/AddOns/released/AWS/Config) for the add-on which speaks about doing the exact install you wish, including going from AWS Config --> SQS S3, at the top of the page there is a link which specifically notes that the function has limitations based on the region in which the services are located, specific to Config Inputs.
Also, what AWS regions are your data residing in that you are seeing this? I've found a support article that indicates there are some restrictions on Configuration Rules based on the region in which the AWS instance resides.
Also, if you search sourcetype=aws:config:rule do you get any results?