All Apps and Add-ons

I configured the Splunk App for AWS with a new Cloudtrail input, but why are SQS queues not showing up in the drop-down?

amirh2
Engager

I've followed the steps on the page: "New Input: CloudTrail"
I'm receiving Cloudtrail logs in the SQS queue. I've granted the AWS user account used by Splunk AmazonSQSReadOnlyAccess, but when I go to configure the input, the drop-down for "SQS queue" doesn't show any queues.

The AWS policy doc has

  "Action": [
    "sqs:GetQueueAttributes",
    "sqs:ListQueues"
  ],

So I'm not sure why the Splunk App for AWS isn't showing anything. Did anyone experience this?

Thanks.

rrich
Explorer

There's a bug in the code. I haven't tested it completely, but on or about line 152 of $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.py, you'll see something like:

for topic_name in topics:

make a backup of the file and change it to

if topic_name:

Then remove $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.pyc (note the trailing c) and try again.

"/opt/splunk/etc/apps/splunk_app_aws/bin/aws/aws_utils.py" line 154 of 693 --22%-- col 13

doug_hall
Explorer

I had the same problem, this fixed it for me. I'm running Splunk App for AWS v4.2.1.

0 Karma

dmckean
Engager

Running SplunkCloud here as well. This really needs to be fixed, as it severely impacts Splunk's key feature of log ingestion and parsing. Plus it's embarrassing for me to be telling my boss "why isn't it fixed yet" and pull out a lame excuse of "it's a Splunk issue"... and the comeback of "If Splunk is flaky like this, why did spend thousands on it?"

0 Karma

amirh2
Engager

Thanks! I'm running Splunk Cloud, so not sure how I go about doing that change (if at all possible)

0 Karma

joehealy
New Member

I am having the same problem on Splunk Cloud with trying to configure Config and Cloudtrail ingestion via SQS. It is not a permission issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...