Found the issue thanks to some previous Splunk Answers and digging in the logs.
I noticed snippet of a message from the Splunk aws_cloudtrail.log:
"fetched 16 records, wrote 1, discarded 15, redirected 0 from s3"
Searching on that led me to this Splunk Answer:
link text
The gist being that there is a default property in the inputs.conf called exclude_describe_events that prevents the AWS add on from pulling down most "read-only" type events. It's exactly clear that this is happening if you configure the cloudtrail input via Splunk Web.
Once I changed that property to false, all the entries in the cloudtrail logs started coming through normally.
... View more