Solved: Splunk App for AWS: Why are ELBs not appearing in ...

klaxdal · ‎12-14-2016

Seem to have an issue with the ELB - Traffic Analysis Dashboard on the Splunk App for AWS - only two ELBs show up when the search runs .

I have verified that all the logs are being indexed into Splunk
The two that appear in the dashboard seem to have the field "elb" in the events
The remaining ELB's do not have this field and don't appear in the dashboard although the sourcetype=aws:elb:accesslogs is correct and the data is indexing .

Any ideas what the issue might be ? Any ideas why the elb field is missing for the other inputs ? All of them ( 12 in total ) are configured the same way .

klaxdal · ‎12-20-2016

Found the solution - had to "manually" extract the fields - for some reason the Regex within props.conf did not work 😞

View solution in original post

aaguirr1 · ‎12-23-2016

Are you using splunkcloud?
Regards,
Arsenio

klaxdal · ‎12-28-2016

Arsenio ,

I am using Splunk Enterprise . Turns out the Filed Extracts were not correctly extracting the field "elb" ( amongst others )

Rewriting the regex in props.conf fixed this issue

klaxdal · ‎12-20-2016

Found the solution - had to "manually" extract the fields - for some reason the Regex within props.conf did not work 😞

Splunk App for AWS: Why are ELBs not appearing in the Traffic Analysis Dashboard?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!