I need to install Splunk Add-on for Amazon Web Services on our splunkcloud.
I'm following the below steps to achieve this
What am I doing wrong?
The app, https://splunkbase.splunk.com/app/1876/ Splunk_TA_aws, is an assisted install app. If you view the app in the UI you should see that the button states that a support case needs to be opened to install it on the search head. That said, Inputs are not allowed on the search heads in cloud, you need to either use a HWF to bring the data in or have an IDM in your cloud deployment. If you don't have an IDM you will soon be able to reach out to your account team and request one. Uploading a package to be installed is for uploading custom customer managed and created apps.
The Splunk Add-on for Amazon Web Services needs to run on-premise in a Heavy Forwarder, or in a Cloud based component we call an IDM. Not sure if they are full GA yet, but we were doing limited release recently. An IDM is essentially a Heavy Forwarder like component, running in your Splunk Cloud environment. It is not recommended to collect data via a Search Head, which is what you would be doing if you installed the Add-on in your cloud environment without an IDM.
Ask your sales team about IDMs if you aren't willing to install a Heavy Forwarder on-prem to collect the AWS data.
Depending on the data you are trying to ingest from AWS, there are other options as well, like Kinesis Firehose which pushes the data into Splunk via the HTTP Event Collector, which can be enabled in Splunk Cloud by opening a ticket.
The add-on is also needed for sourcetype definitions and therefore needs to be deployed to the Search Head(s) with the inputs all turned off. Sounds like a misunderstanding if you only wanted it deployed for the sourcetype info. If you needed it for data collection than @kmorris_splunk is spot on.
So I made a support ticket to install the app, and support did it. Now, I'm unable to configure the add-on because of some internal server errors. When I talked to support about this, they responded with this documentation : https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/Service/SplunkCloudservice#Differences_betwe...
"Splunk does not support the use of inputs.conf on the search tier of Splunk Cloud. Splunk Cloud uses the Packaging Toolkit (http://dev.splunk.com/view/packaging-toolkit/SP-CAAAE9V#partitioning) to partition apps into appropriate packages for the search tier, indexer tier, and forwarder tier. You are responsible for installing the data collection components of any app you want to use in Splunk Cloud on a Splunk Forwarder under your control. If you require direct input on the search tier and you cannot deploy forwarders, you can request that Splunk Cloud deploy data ingestion processes on the Splunk Cloud search tier, but this approach is not subject to Splunk Cloud SLAs."