All Apps and Add-ons

Splunk Add-on for Amazon Web Services. Why am I unable to get Cloudwatch in Splunk?

wstallwood
New Member

Hi

I have tried to follow the setup guide for creating inputs and cloudtrail and was-config are working great now. However, I cannot get any data into Splunk from cloudwatch. Usual suspects such as IAM permissions etc are all verified (and working for the other services)

index = _internal source=*aws_cloudwatch* 

Just shows repeated messages of....

2015-08-03 21:42:01,743 INFO pid=20635 tid=MainThread file=aws_cloudwatch.py:stream_events:978 | query work queued = 0, deferred = 0 , scan_time = 0.000s

I suspect my config around metric_dimensions isn't quite right, but the docs are a little vague on this. I wanted to capture information from any instance in my (small) account, but even setting to a specific Instance ID, I still get no data and my cloudwatch index is reported as empty. (config below)

It's driving me mad now and although I can find a few people reporting the same problem, I can't see any posted answers.

Any help appreciated.

[aws_cloudwatch]
aws_account = xxxxxxxxxxxxxxx
aws_region = eu-west-1
metric_namespace = AWS/EC2
metric_names = ["CPUUtilization","DiskReadOps","StatusCheckFailed_System"]
metric_dimensions = [{"InstanceId":"i-e42a8aa9", "Region":"eu-west-1"}]
statistics = ["Average","Maximum","Minimum","Sum"]
period = 60
polling_interval = 60
sourcetype = aws:cloudwatch
queueSize = 128KB
persistentQueueSize = 24MB
interval = 30
index = aws-cloudwatch
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

that log says it's getting into the queue okay, but not finding anything there. Can you look at the queue from Amazon's management page and see if there are messages?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...