Hi guys, Im using Splunk Light with Splunk App for AWS.
I connected my AWS account to Splunk correct and added S3 Bucket with aws:elb:accesslogs source type.
My S3 Bucket have many files, but no log appear in the index that I created.
I already red log of topics about this subject but no one helped me.
I neither could find the logs off index operations, where can I found it?
Try this - I had the same problem when I implemented back in January this year , in your props.conf file append with the following in TA-AWS props.conf ( under the S3 section )
MAXTIMESTAMPLOOKAHEAD = 27
EXTRACT-elb = ^(?P[^ ]+)[^ \n]* (?P[^ ]+)\s+(?P[0-9.]+):(?P\d+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P.[^eventtype])\s+(?P.[^eventtype])\s+(?P\d+)\s+(?P\d+)\s+"(?P.+)"\s+"(?P.+)"\s+(?P[-\w]+)\s*(?P[-\w.]+)
EVAL-rtt = requestprocessingtime + backendprocessingtime + responseprocessingtime