I am attempting to do a clean install of Splunk 6.2, Splunk Add-on for Amazon Web Services 1.1.0, and Splunk App for AWS 3.0 in order to be able to pull in CloudTrail, Config, and CloudWatch data. In previous version of Splunk App for AWS and Splunk 6.0 setting up the data inputs automatically created indexes named "aws-cloudtrail-index" and "aws-data" (I also created an aws-config-notifications index which appears to be what all the canned panels are configured to search)
It appears that this version does not create these indexes automatically. I have manually created them and changed the index options for my data inputs to use these indexes. Data does appear to be indexed, as events and MBs are increasing. However, any searches against these indexes are returning no results.
I would expect the following search to return all events in the database. It does in my implementation of 6.0 + 2.0, but nothing is returned with the new app.
aws-cloudtrail-index eventName=* | table _time,eventName,userIdentity.userName
Anyone have a working implementation of the new app? Any assistance or guidance would be appreciated.
... View more