KV_MODE = multi_tsv_cloudwatch

hal_boggess1 · ‎04-06-2015

Any ideas what's the cause of this error when searching either the index or sourcetype for AWS Cloudwatch data. I can see the data being updated in the index (aws-cloudwatch) but I'm not able to do a search without generating this error.

AWS add-on version (1.1.0)
Splunk (6.1)
Splunk App for AWS (3.0.2)

Thanks
Hal

hal_boggess1 · ‎04-08-2015

Commented out the following line and I'm now able to search the index. (default/props.conf)

[aws:cloudwatch]

KV_MODE = multi_tsv_cloudwatch

View solution in original post

hal_boggess1 · ‎04-08-2015

Commented out the following line and I'm now able to search the index. (default/props.conf)

[aws:cloudwatch]

KV_MODE = multi_tsv_cloudwatch

felsherif_splun · ‎09-09-2015

Hi @amaddio, to make backend configuration changes in Splunk Cloud, you will need to open a Support ticket with Splunk requesting those changes to be made on your behalf.

Please note that if you comment out KV_MODE in props.conf, the field extractions won't apply. So to keep the field extractions yet get around the issue noted above, it's best to follow this solution: http://answers.splunk.com/answers/229960/why-am-i-seeing-this-error-failed-to-find-a-valid.html

(Copy the multikv.conf file from etc/apps/Splunk_TA_aws/default on the search head to the indexer (or cluster master if it's a an indexer cluster) and restart the Splunk service).

amaddio · ‎07-08-2015

Hello,

I have the same issue, how can I change this setting with a Splunk Cloud Server ?

Thank you,

Why am I getting error "AWSFailed to find a valid configuration for multikv stanza = 'tsv_cloudwatch'" when searching the index or sourcetype for AWS Cloudwatch data?

KV_MODE = multi_tsv_cloudwatch

KV_MODE = multi_tsv_cloudwatch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?