I am using the Splunk App for AWS and the Splunk Add-on for AWS. I have created a descriptions input for my account and can see the sourcetype "aws:descriptions" logs in my custom index. However, the data is not being populated in the dashboards.
When I run one of the searches, I see the search is using the search key of aws_account_id, however in the logs the key is account_id.
For example below is the search for security group rules, and returns no results:
(index="mycustomindex" sourcetype="aws:description" aws_account_id="12345678912" region="" source=":ec2_security_groups") | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m") | where ('_time' > latest_time) | dedup id sortby -_time
When I change the "aws_account_id" key to "account_id" I am able to get results
(index="mycustomindex" sourcetype="aws:description" account_id="12345678912" region="" source=":ec2_security_groups") | eventstats latest(_time) as latest_time | eval latest_time=relative_time(latest_time,"-55m") | where ('_time' > latest_time) | dedup id sortby -_time
Am I missing a transformation somewhere
Thanks