Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk HEC not parsing out separate events from aws cloudwatch aws config logs

kaydub00
Explorer
‎11-06-2018 01:43 PM

I followed this documentation on setting this up: https://aws.amazon.com/blogs/mt/ingest-aws-config-data-into-splunk-with-ease/

We are on Splunk Enterprise 7.1.3.

Sometimes our data is parsed properly, but I've noticed that on many occasions multiple events get forwarded to HEC and HEC can't properly parse them. These multiple events end up as just raw input in splunk when I need splunk to intelligently parse this info.

I have setup a lambda function on my kinesis stream so I can manually parse this, I'm also considering splitting the records up and making sure only one record gets forwarded to Splunk at a time and then I'll throw the extra messages back into the kinesis stream but that feels like a really bad hack. Not sure what I can do to fix this, has anyone else had this issue and have a solution?

Tags (1)
0 Karma
Reply

kaydub00
Explorer
‎11-07-2018 01:54 PM

I got this fixed. We had to add the firehose add-on and then change the input type to firehose:json

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...