All Apps and Add-ons

Splunk App for AWS: How do I configure inputs for CloudWatch logs on a heavy forwarder?

rickjury
Explorer

On this page:
http://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs

it says: "To configure inputs in Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > CloudWatch Logs."

I have a setup where I have a search head with the Splunk App for AWS and remote command to configure a heavy forwarder (where the TA is collecting from). According to instructions, I've installed the TA also on search head, but make it not visible. My heavy forwarder does not have Splunk Web, so it's not possible to connect to that to configure anything.

I have found that I can add an account and add inputs for vpc logs, but there is no add input option for cloudwatch logs (only cloudwatch metrics or vpc logs). Since there is no "add input" option for cloudwatch logs in the Splunk App for AWS to configuration pages, is it impossible to add this except as a config file edit on my heavy forwarder?? (ps. I have also tried this, but it doesn't collect anything and doesn't appear in the config page on the search head app).

As a side note, I can't believe this is version 4 of the app and there is no field to set the index!! Everything I add defaults to "index -= default" so it goes to wrong index unless I manually edit on the heavy forwarder and restart that instance of Splunk.

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

for the kind of advanced editing that you're describing, you're better off going to the Heavy Forwarder and making the Add-on visible, then using its configuration screens. You should be able to do everything you're describing that way.

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

for the kind of advanced editing that you're describing, you're better off going to the Heavy Forwarder and making the Add-on visible, then using its configuration screens. You should be able to do everything you're describing that way.

rickjury
Explorer

I've decided to enable web on the heavy forwarder as suggested by jcoates and that solves most of my problems.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...