For CloudWatch Logs, we suggest to use Kinesis for that. As you mentioned, the reason is the API throttling in CWL side. About S3 files, you don't need to use Kinesis. What type of data do you want to ingest from S3? For AccessLogs, CloudTrail, they are supported in Incremental S3 input. For others, you can only choose Generic S3 input. ... View more

To enable "S3 data Event Dashboard", you need to enable it in your cloudtrail policy. It's new feature in AWS re.event. ... View more

ALB is not supported yet. It's in our road map of next major release. ... View more

Only admin can configure AWS account and inputs in AWS app v4.2 and AWS addon v4.1. Please wait for next release. It has been considered already. ... View more

Hi Rich First of all, please update your App to version 4.2.0 or above. IAM role was only supported in AWS app since version 4.2.0. Or, you can simply update it to the latest version 4.2.1 In version 4.2.0, IAM role account is read only. IAM role account is assigned to EC2 at provision phase. You can't delete it. The IAM account is detected by AWS add-on automatically. Then, you can view it in app and do inputs configuration, but not edit or delete the IAM account. What if an IAM role is staled? Ideally, add-on should be able to detect it. Then, in data ingestion phase, no data of that account can be fetched. I don't think you can delete that account. It's not a typical use case to stale an IAM role but still have Splunk running on that server. If you want to clean all related inputs of that IAM account, you can simply delete inputs instead of deleting account. Peter Chen ... View more

Hi SNS+SQS on CloudTrail is used to collecting CloudTrail message. You can set up accounts first, then setup cloudtrail with SNS and SQS. Then, add SQS in the AWS app GUI. Meanwhile, pull CloudTrail message from S3 may be supported in the future. ... View more

Thanks for sharing this. There is a bug fired from customer side (AWSAPP-1014). AWS app development team has resolved it and put in into v4.2.1 release. The fix Conner provided works if the trail is configured recently, but not works for old trails. If you want to apply the fix before v4.2.1 release, you can try fix one line code as below: File: $AWS_APP_ROOT/bin/aws/aws_utils.py Function: get_cloudtrail_sqs Before fix: topic_names = set([x['SnsTopicName'] for x in trails]) After fix: topic_names = set([extract_name_from_arn(x['SnsTopicARN']) for x in trails if 'SnsTopicARN' in x]) ... View more