I'm trying to configure a cloudwatch logs input but I continue to receive invalid key errors when restarting Splunk on the HF. I've gone by the doc as well as opened a support case but haven't had success. The samples that I've seen and the keys that the support guy were telling me to try are all different than the documentation. I'm starting to think this input type is just bugged and doesn't work at all. Has anyone been able to configure this type of input? And if so, do you mind sharing what you did?
Errors
Invalid key in stanza [aws_cloudwatch_logs://REDACTED] in /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf, line 34: account (value: REDACTED).
Invalid key in stanza [aws_cloudwatch_logs://REDACTED] in /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf, line 35: groups (value: /blah/blah/redacted, /blah/more/redacted).
Invalid key in stanza [aws_cloudwatch_logs://REDACTED] in /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf, line 38: region (value: us-east-1).
Details
My current stanza
[aws_cloudwatch_logs://REDACTED]
account = REDACTED
groups = /blah/blah/redacted, /blah/more/redacted
index = staging
sourcetype = aws:cloudwatchlogs:log
interval = 1800
region = us-east-1
disabled = 0
