I've followed the steps on the page: "New Input: CloudTrail"
I'm receiving Cloudtrail logs in the SQS queue. I've granted the AWS user account used by Splunk AmazonSQSReadOnlyAccess, but when I go to configure the input, the drop-down for "SQS queue" doesn't show any queues.
The AWS policy doc has
"Action": [
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
So I'm not sure why the Splunk App for AWS isn't showing anything. Did anyone experience this?
Thanks.
There's a bug in the code. I haven't tested it completely, but on or about line 152 of $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.py, you'll see something like:
for topic_name in topics:
make a backup of the file and change it to
if topic_name:
Then remove $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.pyc (note the trailing c) and try again.
"/opt/splunk/etc/apps/splunk_app_aws/bin/aws/aws_utils.py" line 154 of 693 --22%-- col 13
I had the same problem, this fixed it for me. I'm running Splunk App for AWS v4.2.1.
Running SplunkCloud here as well. This really needs to be fixed, as it severely impacts Splunk's key feature of log ingestion and parsing. Plus it's embarrassing for me to be telling my boss "why isn't it fixed yet" and pull out a lame excuse of "it's a Splunk issue"... and the comeback of "If Splunk is flaky like this, why did spend thousands on it?"
Thanks! I'm running Splunk Cloud, so not sure how I go about doing that change (if at all possible)
I am having the same problem on Splunk Cloud with trying to configure Config and Cloudtrail ingestion via SQS. It is not a permission issue.