Splunk Enterprise

Import specific data from S3



I am trying to import a specific account data from AWS S3 

we have configured SQS to import the full data from the same S3  and it works properly 

I have defined the inputs as below  

the account path in AWS is Amazon S3/amdocsinfosectrail/AWSLogs/o-kgohve3tjc/001519100451

what I am missing  ? 

the logs are not created with the key_name 

once I remove the filter I see that the /opt/splunk/var/lib/splunk/modinputs/aws_s3/amdocsinfosectrail_001519100451.index.v3.ckpt is getting the list of files 

what I am missing  ? 

aws_account = IS account
bucket_name = amdocsinfosectrail
character_set = auto
ct_blacklist = ^$
host_name = s3.amazonaws.com
index = test
initial_scan_datetime = -180d
interval = 30
is_secure = True
max_items = 100000
max_retries = 3
recursion_depth = -1
sourcetype = aws:s3
disabled = 0
key_name = AWSLogs/o-kgohve3tjc/001519100451/*

Labels (1)
Tags (2)
0 Karma


Did you every get a solution to this?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!