Thanks, I corrected it. I didn't see my reports on the search app. Maybe I should share my Report/Alert Globally/Public. I'll figure this out. Thank you again. ... View more

The reports will be under the file $Splunk_home/etc/apps/appname/local/savedsearches.conf I wasn't able to find it on the front end GUI though ... View more

Thanks! That worked. I didn't have this entry on my inputs.conf. ... View more

what is the block of code that has to be added to inputs.conf. need to verify this ... View more

This works. Thank you. However, I'm unable to find the report on Splunk if I need to schedule it to a different time or need to edit again. Where do I find this? I have another question but I'll open another thread for this. ... View more

Thanks rsennett. I should have mentioned my e-mail has been configured and I'm getting reports on other plugins/apps I have configured (SplunkAPPforAWS and Splunk itself) Although I can configure permissions, I did not see an option to schedule reports for a Dashboard or Alert. I will try and save the search result as a report and see if I can schedule this and get back to you. Many thanks! ... View more

Thanks! We were able to make it work earlier. ... View more

Thank you d! ... View more

After re-doing my Splunk Install and SQS, SNS, CloudTrail setup, I see some improvement. On aws_CloudTrail Log, 2015-02-13 11:03:44,241 INFO pid=25836 tid=MainThread file=aws_cloudtrail.py:process_notifications:356 | processing 4 records in s3:trailertruck/AWSLogs/2xxxxxxx/CloudTrail/us-east-1/2015/02/13/xxxxxxxx_CloudTrail_us-east-1_20150213T1605Z_0YodSeqjgEBI0nqU.json.gz 2015-02-13 11:03:44,241 DEBUG pid=25836 tid=MainThread file=aws_cloudtrail.py:process_notifications:369 | writing event DescribeLoadBalancers with timestamp 2015-02-13T16:00:02Z 2015-02-13 11:03:44,242 DEBUG pid=25836 tid=MainThread file=aws_cloudtrail.py:process_notifications:369 | writing event CreateKeyPair with timestamp 2015-02-13T15:59:25Z 2015-02-13 11:03:44,243 DEBUG pid=25836 tid=MainThread file=aws_cloudtrail.py:process_notifications:369 | writing event DescribeAlarms with timestamp 2015-02-13T15:59:11Z 2015-02-13 11:03:44,243 DEBUG pid=25836 tid=MainThread file=aws_cloudtrail.py:process_notifications:369 | writing event DeleteKeyPair with timestamp 2015-02-13T15:59:49Z 2015-02-13 11:03:44,244 INFO pid=25836 tid=MainThread file=aws_cloudtrail.py:process_notifications:393 | fetched 4 records, wrote 4, discarded 0, redirected 0 from s3:trailertruck/AWSLogs/2xxxxxxx/CloudTrail/us-east-1/2015/02/13/2xxxxxxxxx_CloudTrail_us-east-1_20150213T1605Z_0YodSeqjgEBI0nqU.json.gz 2015-02-13 11:03:44,256 INFO pid=25836 tid=MainThread file=aws_cloudtrail.py:stream_events:283 | 1 completed, 0 failed while processing a notification batch of 1 [0 errors deleting 1 notifications] Elapsed: 0.077s However, on splunkd.log 02-13-2015 10:55:36.381 -0500 WARN SearchOperator:inputcsv - Encountered 1 'inconsistent number of column' errors while reading input. 02-13-2015 10:55:36.791 -0500 WARN SearchOperator:inputcsv - Encountered 1 'inconsistent number of column' errors while reading input. 02-13-2015 10:55:36.809 -0500 WARN SearchOperator:inputcsv - Encountered 1 'inconsistent number of column' errors while reading input. I'm not sure what to make of it but I'm going to dig deeper and see if I can come up with something else. ... View more

Hello David - Were you able to find a solution to this? We see the exact problem you described. I don't have any other SQS queue or SNS topic besides the one for CloudTrail. ... View more

Thank you jcoates_splunk for your response to another thread. He responded by, "every time i've seen that sort of error message it's meant that the add-on is being directed to gather "cloudtrail" data from a bucket that actually contains something else." Here is my response - The cloudtrail folder was created specifically for this purpose and do not have any other data. Is there any other suggestions that I need to try out? Thank you again. ... View more

I don't want to hijack this thread but just want to make sure Splunk is aware of this. I have a similar issue where I get the error, DEBUG pid=11513 tid=MainThread file=aws_cloudtrail.py:stream_events:210 | Connect to S3 & Sqs sucessfully 2015-02-12 19:23:56,799 CRITICAL pid=11513 tid=MainThread file=aws_cloudtrail.py:stream_events:286 | Outer catchall: TypeError: 'int' object has no attribute '__getitem__' 2015-02-12 19:23:56,799 INFO pid=11513 tid=MainThread file=aws_cloudtrail.py:<module>:419 | EXITED: 1 It looks like Splunk is getting the logs to its indexes from AWS but the AWS add on is unable to parse the data and generate meaningful reports spewing out the above errors. Can you guys help? I'm using the latest version of Splunk on Amazon Linux if that helps. ... View more

Thanks MuS. I'll use your output too on a different problem. ... View more

Thank richgalloway. How do we also add TaskCategory=Computer Account Management to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management" ... View more

Sorry about that. Expected result should be, Time EveID ComputerName _time Event Code=4742 MyHost.com _time Event Code=4772 MyHost2.com etc.. ... View more

Eventually this is what I wanted, -\s+\[[^:]+:(?<email>[^]]+)] - User authenticated Thank you triest! ... View more

Finally got it, -\s+\[[^:]+:(?<email>[^]]+)] - User authenticated Thanks! ... View more

Hi Again - The requirement changed a bit and they need firstname@emailaddress. I tried to define email like how we did for first name like this, -\s+\[[^:]+:(?<firstname>[^@])+(?<email>)@[^]]+] - User authenticated | table _time firstname@email However, splunk doesn't get it and only displays the last letter of the firstname. How can I include the firstname@email in the report. This is my working expression. As you can see there is no lastname. rex "-\s+\[[^:]+:(?<firstname>[^@]+)@[^]]+] - User authenticated" | table _time firstname ... View more