Neeraj - can you post cpu.sh stanza from inputs.conf ? also do you see any messages related with this add-on/app in Splunkd.log? ... View more

Neeraj, Add-on needs to be installed on UF only. Install Splunk app for unix/linux on central Splunk server. restart Splunk on UF and see if any errors in splunked.log. also check inputs.conf under local folder, it should have stanzas as follows: [script://./bin/cpu.sh] disabled = false index = os Thanks. ... View more

Could you check following : do you see billing csv file under s3 bucket folder ? S3 bucket name have any uppercase letters ? is physical S3 bucket name identical with aws.conf ? you can also run following command manually and see if there is any output on the screen: $SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/SplunkAppforAWS/bin/get_bill.py thanks Nilesh ... View more

errors.txt gives idea about unavailability of accounts or invalid keys or api calls that failed/timed out. If you look at get_ops.py, you will see ops--3 at line 77. HTH thanks Nilesh ... View more

Hi Bruce, Sure, lets go through the checklist once again in order to verify your setup. Before we do that, can you shoot me an email to nkhetia@splunk.com, so that i can send you some sample screenshots ? Remove cloudtrail setup entry which is already there from last week. add new configuration using same IAM user credentials make sure IAM user is power/admin user who has all grants SQS region and queue name should be identical to one which you setup manually Also while configuring CloudTrail inputs, specify following things: Select More Settings checkbox. Set Source type as Manual and specify "aws-cloudtrail" as Source type. Under index, select destination index as "aws-cloudtrail". In Splunk search bar, try searching for events by index=*, and see if you see any json data. You can also try ingesting CloudTrail data using cloudtrail2splunk.py under bin folder. Please refer USAGE.txt to use the same. Have you tried setting up aws.conf for Billing data ? if so, do you see any data coming in under Billing & Usage dashboards? Thanks Nilesh ... View more

It uses same port. It could be api call to aws are blocked. Can you try using cloudtrail2splunk.py under bin folder? Its manual way to ingest cloudtrail data in splunk. You can refer to USAGE.txt. To use billing & usage, aws.conf needs to be configured. Please refer to README.txt. If it is getting data, api call to aws are not blocked. thx Nilesh ... View more

Hi Bruce, could you send your contact details to nkhetia@splunk.com ? I will try and setup webex to troubleshoot it. thanks Nilesh ... View more

if there are no messages in SQS, make sure it is subscribed to correct sns topic. Please check this link : http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqssubscribe.html Under manual sourcetype, specify "aws-cloudtrail". thx Nilesh ... View more

Hi Bruce, If you are using credentials of IAM user, that IAM user should have enough permissions to access S3 data. Do you see messages queued up under SQS in AWS Management Console ? Also while configuring CloudTrail inputs, have you specified following things ? Select More Settings checkbox. Set Source type as Manual and specify aws-cloudtrail as Source type. Under index, select destination index as aws-cloudtrail. thx Nilesh ... View more

yes .. it requires splunk 6.0. thanks Nilesh ... View more

If you do not see AWS CloudTrail Log type under Settings -> Data inputs, there could be installation issue with AWS App. If you are online, skype me on nkhetia@hotmail.com and we can figure it out, real quick. thanks Nilesh ... View more

There are two portions of this app. Billing and Usage CloudTrail aws.conf is used for Billing and usage portion of the app. and AWS CloudTrail inputs under settings-> Data inputs is used for CloudTrail. Have you configured AWS CloudTrail inputs under settings->Data inputs ? Thanks Nilesh ... View more

yes, mostly you should be able to do it provided - IAM user is created under master account and specify IAM user's credentials in corpkey. ... View more

Hi, corpkey is credentials for master aws account to fetch billing csv file from S3 bucket. if it is not provided, app won't be able to fetch billing csv file. Thanks Nilesh ... View more

Hi Tito, Let me follow up with you offline. thx Nilesh ... View more

yes, it is required in order to get billing work. master account will have to be in [keys] stanza as well as in [misc] stanza. ... View more

Hi Brian, we've resolved this problem long back offline but i would like to reply here so that it will be helpful to others. Thanks to Austin Maze for sending this unanswered post. [keys] accountno - would be 12 digit aws account number without dashes. company/group name - this can be used as internal identifier to mention linked and master aws accounts within your company. aws-access-keys - self explanatory aws-secret-key - self explanatory [regions] - self explanatory [misc] this stanza needs to be configured for billing data. specify master aws account name as company name or corp account name - this is internal identifier. corpkey = mycompany aws-access-key aws-secret-key acno = <12 digit aws account number without dashes for master account> there is a concept in aws to link all accounts to one master account, when there are more than one aws accounts exist for the same organization. These accounts are identified as "linked accounts". Billing is consolidated for all accounts and sent to one account which will be treated as master account. *** master account will have to be in [keys] stanza as well as in [misc] stanza.** s3bucket = aws-splunk s3 bucket name should be in all lowercases. Restart splunk after all configuration is done. Hope this will be helpful. thx -Nilesh ... View more

Hi, There are two files available under the app folder. README.txt - for Billing and usage section USAGE.txt - for CloudTrail section Let me know, if you have any questions after going through it. thanks, Nilesh ... View more