×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
drggfish1
Explorer
Member since: 3 weeks ago
Friday
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎12-20-2025
Activity Feed
View All

Re: Splunk Add-on for AWS

by in Getting Data In
Friday
Friday
Update - I just added my Role Arn to the configuration for the Splunk Add on for AWS in Splunk.  So in addition to the account information I added the Assume Role information. It now works. I am assuming this is the way it is supposed to work. Thoughts? ... View more

Re: Splunk Add-on for AWS

by in Getting Data In
Friday
Friday
Thanks for the input livehybrid. I guess I am still not following the way it is supposed to work. For me, I have a user SplunkUser that has a trust relationship with SplunkRole. The user SplunkUser is given permissions to "sts:AssumeRole" After the SplunkUser assumes the SplunkRole - the Role has permissions to list queues but yes, the error implies that the SplunkUser is attempting to list queues, not the Role. Any further guidance would be welcomed. Thanks!  ... View more

Splunk Add-on for AWS

by in Getting Data In
Thursday
Thursday
I am trying to configure the Splunk Add-on for AWS for brining in CloudTrail logs via SQS S3. I have the following User, Role, and Permissions set up in AWS: SplunkUser I have the following permissions defined: { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::MYACCOUNTNUMBER:role/SplunkRole" } ] } I have the following SplunkRole defined: Trust Relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MYACCOUNTNUMBER:user/SplunkUser" }, "Action": "sts:AssumeRole", "Condition": {} } ] } I have the following permissions attached to the Splunk Role and from a previously created "SplunkSQSPolicy" { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:GetQueueUrl", "sqs:SendMessage", "sqs:DeleteMessage", "s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:GetBucketTagging", "s3:GetAccelerateConfiguration", "s3:GetBucketLogging", "s3:GetLifecycleConfiguration", "s3:GetBucketCORS", "kms:Decrypt" ], "Resource": [ "*" ] } ] } I keep getting the following ERROR: An error occurred (AccessDenied) when calling the ListQueues operation: User: arn:aws:iam::MYACCOUNTNUMBER:user/SplunkUser is not authorized to perform: sqs:listqueues on resource: arn:aws:sqs:us-east-1:MYACCOUNTNUMBER: because no identity-based policy allows the sqs:listqueues action I am not sure why this is failing, I have the sqs:listqueues API call listed in the Permission Policy. Please advise, Thanks! ... View more
Labels

Universal Forwarder

by in Getting Data In
3 weeks ago
3 weeks ago
I am getting a mismatch between the version of OPENSSL installed on my OS and in the Universal Forwarder. It seems to be keeping me from running the Universal Forwarder as a systemd process. NAME="AlmaLinux" VERSION="10.1 (Heliotrope Lion)" [splunk@ip-172-31-34-212 bin]$ openssl version OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025) systemctl: /opt/splunkforwarder/lib/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by /usr/lib64/systemd/libsystemd-shared-257-13.el10.alma.1.so) Thanks   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Friday
Karma given to
View All