All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk add on for aws doesnot report cloudwatch logs

ssolipuram
Explorer
‎05-18-2018 10:22 AM

We are trying to ingest cloudwatch logs to splunk using splunk add-on for AWS. Some of the logs appear fine but there is a delay of more than 1 hour. The splunk server and forwarder are in the same time zone. And some of the logs dont even appear. Below is the error we are geting:

2018-05-18 17:14:32,803 level=ERROR pid=4348 tid=Thread-4 logger=splunk_ta_aws.modinputs.cloudwatch_logs.aws_cloudwatch_logs_data_loader pos=aws_cloudwatch_logs_data_loader.py:describe_cloudwatch_log_streams:73 | | message="Failure in describing cloudwatch logs streams due to throttling exception for log_group=app1/container, sleep=2.5481909735, reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/splunk_ta_aws/modinputs/cloudwatch_logs/aws_cloudwatch_logs_data_loader.py", line 63, in describe_cloudwatch_log_streams
group_name, next_token=buf["nextToken"])
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/boto/logs/layer1.py", line 308, in describe_log_streams
body=json.dumps(params))
File "/opt/splunk/etc/apps/Splunk_TA_aws/bin/3rdparty/boto/logs/layer1.py", line 576, in make_request
body=json_body)
JSONResponseError: JSONResponseError: 400 Bad Request
{u'__type': u'ThrottlingException', u'message': u'Rate exceeded'}
"

Any help or suggestions are appreciated

0 Karma
Reply

wendtb
Path Finder
‎05-09-2019 06:50 AM

This error is due to throttling on AWS side. Unfortunately, there isn't a way to raise the exceeded throttling rate through AWS. The next best option is to utilize Kinesis Firehose ingestion into Splunk.

See this answer for throttling: https://answers.splunk.com/answers/482689/splunk-app-for-aws-getting-throttling-errors-for-a.html

Kinesis Info: https://www.splunk.com/blog/2017/11/29/ready-set-stream-with-the-kinesis-firehose-and-splunk-integra...
https://www.splunk.com/blog/2019/02/21/how-to-ingest-any-log-from-aws-cloudwatch-logs-via-firehose.h...
https://aws.amazon.com/blogs/big-data/power-data-ingestion-into-splunk-using-amazon-kinesis-data-fir...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...