All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What should a stream metric regex look like for AWS Addon CloudWatchLogs

gesa_behrens
Path Finder
‎09-04-2019 11:32 PM

Hello
I need to stream access_logs from aws from different directories such as
/directory/subdirectory1/subdirectory2/subdirectory3/various cryptic numbers/var/log/apache2/access.log.

I would need something like /ecs/service/apache-tls10/PROD-apache-tls10/*/var/log/apache2/access.log because
.*/var/log/apache2/access.log sends to many logs since there are other directories in the log_group starting with a different directory name which we do not need to index.
Reading docs and splunk answers did not point me to a useful example explaining exactly what a 'stream matching regex' should look like. What ever I try I find this entry in internal:
2019-09-05 06:04:01,758 level=ERROR pid=19218 tid=MainThread logger=splunk_ta_aws.modinputs.inspector pos=util.py:call:163 | | message="Failed to execute function=run, error=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/splunktalib/common/util.py", line 160, in __call_
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/init.py", line 53, in run
do_run()
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/init.py", line 30, in _do_run
aiconf.AWSInspectorConf, "aws_inspector", logger)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/common/ta_aws_common.py", line 136, in get_configs
tasks = conf.get_tasks()
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/aws_inspector_conf.py", line 60, in get_tasks
_cleanup_checkpoints(tasks, config)
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/inspector/aws_inspector_conf.py", line 119, in _cleanup_checkpoints
internals = store.get_state("internals")
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/splunktalib/state_store.py", line 155, in get_state
state = json.load(jsonfile)
File "/opt/splunk/lib/python2.7/json/init.py", line 291, in load
**kw)
File "/opt/splunk/lib/python2.7/json/init_.py", line 339, in loads
return _default_decoder.decode(s)
File "/opt/splunk/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/splunk/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
"

can anyone provide an example for that please?

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...