Thanks Lakshman, this is exactly what I have listed as my explanation but still wanted the second opinion. Thanks much for your explanation. ... View more

Thanks for your answer, it does help. ... View more

It should be work as per the above steps as posted by dKeck. If still not working then please share the output.conf settings. ... View more

I already tried going through that and the other whitepaper "Technical Paper: Large-Scale, Unstructured Data Retrieval and Analysis Using Splunk". However, I am still confused on the overall utilization of Map Reduce in Splunk. ... View more

Yes, it is enabled and has completed the results. ... View more

Any solution for "Most Recent Modifications - Latest 10" from S3 - Data events that is also not working out. ... View more

I am using the SQS based S3 only with below configurations. [aws_sqs_based_s3://S3_Logs] aws_account = RoleName aws_iam_role = RoleName interval = 300 s3_file_decoder = S3AccessLogs sourcetype = aws:s3:accesslogs sqs_batch_size = 10 sqs_queue_region = us-east-1 sqs_queue_url = queueName disabled = 0 ... View more

Yes, sure thanks a lot for help. Is there anything that you can suggest me to try before the model rebuilt ? ... View more

Hi Amiracle, Thank you so much for providing that solution. I followed your approach and was able to fix most of the issues but "Most Recent Modifications - Latest 10" is still not working out. Below is the query: (index="main" OR (index="main" OR index="default") OR index="default") sourcetype="aws:cloudtrail" | lookup all_eventName eventName OUTPUTNEW function | search function="S3 Data Event" | spath output=bucketName path="requestParameters.bucketName" | spath output=objectName path=requestParameters.key | spath output=userName path=userIdentity.sessionContext.sessionIssuer.userName | eval error=if(errorCode=="success",0, 1) | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | eval Unauthorized=if(Unauthorized=="true", 1, 0) | stats count by region, aws_account_id, bucketName, objectName, userName, eventName, userAgent, sourceIPAddress,Unauthorized, error, readOnly,_time | search (aws_account_id="") (region="") | search readOnly=false (eventName="DeleteObject" OR eventName="PutObject" OR eventName="PostObject") | sort - _time limit=10 | eval _time=strftime(_time, "%m/%d/%Y %H:%M:%S") | table bucketName, objectName, userName, eventName, sourceIPAddress, userAgent, _time | rename bucketName as BucketName, objectName as ObjectName, userName as UserName, eventName as EventName, sourceIPAddress as "Source IP Address", userAgent as UserAgent, _time as Time The other tab "S3 - Traffic Analysis" is not working at all. ... View more

I have tried most of the things to make that S3 dashboard work but it isn't. Just to explain it little more, I am sending the data to main index with sourcetype="aws:s3:accesslogs" but it is still not working out. I am trying to work on some POC that will need this app as well, if possible then can we connect regarding this on call or email? Query one the view in this dashboard is using. (index="main" OR (index="main" OR index="default") OR index="default") sourcetype="aws:cloudtrail" | lookup all_eventName eventName OUTPUTNEW function | search function="S3 Data Event" | spath output=bucketName path="requestParameters.bucketName" | spath output=objectName path=requestParameters.key | spath output=userName path=userIdentity.userName | eval error=if(errorCode=="success",0, 1) | lookup unauthorized_errorCode errorCode OUTPUT Unauthorized | eval Unauthorized=if(Unauthorized=="true", 1, 0) | stats count by region, aws_account_id, bucketName, objectName, userName, eventName, userAgent, sourceIPAddress,Unauthorized, error, readOnly,_time | search (aws_account_id="") (region="") | stats sum(count) as count sum(error) as errors | nadefault errors count | eval _total_name="Data Events", _total_field=count ... View more