Hi
I have tried to follow the setup guide for creating inputs and cloudtrail and was-config are working great now. However, I cannot get any data into Splunk from cloudwatch. Usual suspects such as IAM permissions etc are all verified (and working for the other services)
index = _internal source=*aws_cloudwatch*
Just shows repeated messages of....
2015-08-03 21:42:01,743 INFO pid=20635 tid=MainThread file=aws_cloudwatch.py:stream_events:978 | query work queued = 0, deferred = 0 , scan_time = 0.000s
I suspect my config around metric_dimensions isn't quite right, but the docs are a little vague on this. I wanted to capture information from any instance in my (small) account, but even setting to a specific Instance ID, I still get no data and my cloudwatch index is reported as empty. (config below)
It's driving me mad now and although I can find a few people reporting the same problem, I can't see any posted answers.
Any help appreciated.
[aws_cloudwatch]
aws_account = xxxxxxxxxxxxxxx
aws_region = eu-west-1
metric_namespace = AWS/EC2
metric_names = ["CPUUtilization","DiskReadOps","StatusCheckFailed_System"]
metric_dimensions = [{"InstanceId":"i-e42a8aa9", "Region":"eu-west-1"}]
statistics = ["Average","Maximum","Minimum","Sum"]
period = 60
polling_interval = 60
sourcetype = aws:cloudwatch
queueSize = 128KB
persistentQueueSize = 24MB
interval = 30
index = aws-cloudwatch
... View more