Hi Bruce,
Sure, lets go through the checklist once again in order to verify your setup. Before we do that, can you shoot me an email to nkhetia@splunk.com, so that i can send you some sample screenshots ?
Remove cloudtrail setup entry which is already there from last week.
add new configuration using same IAM user credentials
make sure IAM user is power/admin user who has all grants
SQS region and queue name should be identical to one which you setup manually
Also while configuring CloudTrail inputs, specify following things:
Select More Settings checkbox.
Set Source type as Manual and specify "aws-cloudtrail" as Source type.
Under index, select destination index as "aws-cloudtrail".
In Splunk search bar, try searching for events by index=*, and see if you see any json data.
You can also try ingesting CloudTrail data using cloudtrail2splunk.py under bin folder. Please refer USAGE.txt to use the same.
Have you tried setting up aws.conf for Billing data ? if so, do you see any data coming in under Billing & Usage dashboards?
Thanks
Nilesh
... View more