Alternatively, if Splunk HTTP Event Collector (HEC) is enabled in your particular Splunk deployment, consider instead streaming CloudWatch Logs into Splunk via Lambda, that is CloudWatch Logs --> Lambda --> Splunk HEC, as explained in this blog post:
http://blogs.splunk.com/2017/02/03/how-to-easily-stream-aws-cloudwatch-logs-to-splunk/
In addition to near real-time data ingestion, you could benefit from automated configuration management. More specifically, instead of having to manually create a CloudWatch Logs input in Splunk for each logs group, you can have these Lambda functions automatically created (part of CloudFormation template, AWS CLI or other methods) and stream to the same Splunk HEC input.
... View more