All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud - Splunk Add-on for AWS – logGroupName vs logGroupIdentifier in cross-account setup

Leonardo1998
Explorer
‎05-02-2025 12:23 AM

Hi everyone,
I'm working with the Splunk Add-on for AWS on Splunk Cloud, and I’ve run into an issue when trying to collect CloudWatch Logs from a cross-account AWS setup.

After digging through the Python code inside the add-on, I discovered that it uses the logGroupName parameter when calling describe_log_streams() via Boto3. However, in cross-account scenarios, AWS requires the use of logGroupIdentifier (with the full ARN of the log group) — and you can’t use both parameters at the same time.

Leonardo1998_0-1746170549971.png

 

So, even though AWS allows log collection across accounts using logGroupIdentifier, the current implementation in the add-on makes it impossible to use this feature correctly.

I was able to identify the exact line of code that causes the issue and verified that simply replacing "logGroupName" with "logGroupIdentifier" solves the problem.

Given that I'm on Splunk Cloud, I have a few questions for those with more experience in similar situations:

  1. Is it possible to modify that single line of Python code directly in the official add-on deployed in Splunk Cloud (maybe through the UI or some workaround), or is that completely locked down?

  2. I could clone the add-on, patch it, and submit it as a custom app — but would running a custom version of the AWS add-on cause issues with future Splunk Support cases? (i.e., would support be denied for data coming from a modified TA?)

  3. More broadly, for anyone who’s set up Splunk in cross-account AWS environments:
    What’s your recommended approach for collecting CloudWatch Logs in this scenario, given the limitations of the official add-on?

Thanks in advance for any insights.

Labels (3)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-02-2025 12:39 AM

Hi @Leonardo1998 

You make a good point here, do you know if logGroupIdentifier can be used for non-cross account groups?

To answer your question, you cannot make changes to files from Splunkbase apps in SplunkCloud. Whilst you could clone to app and upload with a unique ID with the amendments, you would be creating a supportability and maintence nightmare for yourself unfortunately. 
I think the best solution at the moment would be to raise it as a bug with Splunk Support and see if they can give you a timeline on a fix.
In the meantime I will see if I can test this change with a non cross account collection. 

 

 

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...