According to the AWS add-on for Splunk, it is strongly recommended to avoid using the Cloudwatch Logs input due to deprecation.
Screenshot from the docs at http://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs :
I have countless AWS Lambda functions which dump their logs to CloudWatch Logs. What is the recommended way to ingest these? Ideally, I'd like them to be available in Splunk in real time, similarly to how they are with our server applications pushing logs through SplunkForwarder.
... View more