index=* sourcetype=aws:cloudwatch (Shows no data) and I'm seeing the following error in the log:
2017-11-21 18:43:44,228 level=ERROR pid=12773 tid=Thread-22 logger=splunktalib pos=event_writer.py:write_events:268 | Failed to post events to HEC_URI=https://127.0.0.1:8088/services/collector, error_code=413, reason=
Unexpected request data received
I've triple checked my permissions. Any ideas?
Thanks!
I created a case with Splunk tech support and they found my problem. I'm not sure if this solution would always help other who have problems collecting Cloudwatch data but it might be something to look at.
See quote below:
"The Add-on for AWS sends data to the Http Event Collector and is trying to send it to the default port. To fix this you will need to update the port setting for cloudwatch. To do this, please create the following file with the following content:
/opt/splunk/etc/apps/Splunk_TA_aws/local/aws_cloudwatch.conf
[global_settings]
hec_port = 8067
Restart Splunk and you should start receiving data."