- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: I configured the Splunk App for AWS with a new...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured the Splunk App for AWS with a new Cloudtrail input, but why are SQS queues not showing up in the drop-down?
I've followed the steps on the page: "New Input: CloudTrail"
I'm receiving Cloudtrail logs in the SQS queue. I've granted the AWS user account used by Splunk AmazonSQSReadOnlyAccess, but when I go to configure the input, the drop-down for "SQS queue" doesn't show any queues.
The AWS policy doc has
"Action": [
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
So I'm not sure why the Splunk App for AWS isn't showing anything. Did anyone experience this?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's a bug in the code. I haven't tested it completely, but on or about line 152 of $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.py, you'll see something like:
for topic_name in topics:
make a backup of the file and change it to
if topic_name:
Then remove $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.pyc (note the trailing c) and try again.
"/opt/splunk/etc/apps/splunk_app_aws/bin/aws/aws_utils.py" line 154 of 693 --22%-- col 13
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same problem, this fixed it for me. I'm running Splunk App for AWS v4.2.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running SplunkCloud here as well. This really needs to be fixed, as it severely impacts Splunk's key feature of log ingestion and parsing. Plus it's embarrassing for me to be telling my boss "why isn't it fixed yet" and pull out a lame excuse of "it's a Splunk issue"... and the comeback of "If Splunk is flaky like this, why did spend thousands on it?"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I'm running Splunk Cloud, so not sure how I go about doing that change (if at all possible)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same problem on Splunk Cloud with trying to configure Config and Cloudtrail ingestion via SQS. It is not a permission issue.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
