Currently my Splunk index only has aws:config:rule and aws:config:notification events. There are no aws:config snapshot events, so the topology feature doesn't work. I have set up the old Config input that takes in an SQS per region. Every Config service in every other account has its delivery channel send to a central SNS in the same region, which then sends to the SQS that Splunk queries.
The dev manager of the AWS app said
The initial inventory get populated by
triggering a AWS Config Snapshot. When
you add a Config input, the snapshot
will be triggered automatically,
unless your IAM user don't have such
(see https://answers.splunk.com/answers/337327/splunk-app-for-aws-will-my-current-configuration-f.html answer).
My IAM user has the proper permission (config:DeliverConfigSnapshot). But no snapshot was triggered or imported. I even manually triggered a Config snapshot via the CLI as recommended in https://answers.splunk.com/answers/378001/aws-app-description-vs-config.html, but that did not do anything.
For context, I also have some Config Rule inputs set up beforehand that I did not touch during this whole process.
Thoughts on how I can get my Splunk app to populate with aws:config events??
... View more
AWS 5.1.1 Topology Splunk article (don't have the karma to link).
docs.splunk . com/Documentation/AWS /5 .1.1/User/Topology :
I don't see any such saved search in my Splunk AWS App and have added AWS Config, CloudTrail, and Config Rule inputs. Shouldn't it appear? Or is it a must to include every other input as well? To clarify, I'm not talking about the saved search automatically enabling itself, but rather showing up under Settings > Searches, reports, and alerts at all.
I'm also curious if "aws:config:notification" and "aws:config" types are treated interchangeably or not in the documentation. I have a lot of "aws:config:notification" source types and no pure "aws:config" types. The troubleshooting page for Topology (linked above) mentions that you should search for "sourcetype=aws:config" to ensure data is reaching Splunk; I'm unsure if "aws:config:notification" events are green or red flag for this.
... View more