Solved: Data onboarding issue - Splunk_TA_aws

smakwana · ‎11-13-2025

Hi,

I am trying to onboard aws access logs from a S3 bucket using the Splunk Add-on for AWS installed in a Heavy Forwarder. There are logs in the location. I am giving a start time stamp as one of the logs. There are more logs in that location, but logs are not getting onboarded into Splunk. I don't see any error logs in _internal logs.

thahir · ‎11-16-2025

@smakwana go to this path $SPLUNK_HOME/var/log/splunk/splunk_ta_aws_s3.log and check if there is any error related to the add on.

Make sure you gave the correct permission in the AWS end and assigned the List bucket and Get object policy for the S3 bucket.

View solution in original post

thahir · ‎11-16-2025

@smakwana go to this path $SPLUNK_HOME/var/log/splunk/splunk_ta_aws_s3.log and check if there is any error related to the add on.

Make sure you gave the correct permission in the AWS end and assigned the List bucket and Get object policy for the S3 bucket.

smakwana · ‎11-19-2025

Thank you, Thahir

Updated permissions to the role accessing the S3 bucket and that fixed the issue.

VatsalJagani · ‎11-15-2025

@smakwana - I don't think the given information is enough to understand the issue, given the complexity and variety in AWS inputs. Please provide more details.

* Are you using SQS-based S3 input?

* What are your input settings?

* Is your SQS configured correctly?

* etc

Data onboarding issue - Splunk_TA_aws

heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation