- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- I configured the Splunk App for AWS with a new Clo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured the Splunk App for AWS with a new Cloudtrail input, but why are SQS queues not showing up in the drop-down?
I've followed the steps on the page: "New Input: CloudTrail"
I'm receiving Cloudtrail logs in the SQS queue. I've granted the AWS user account used by Splunk AmazonSQSReadOnlyAccess, but when I go to configure the input, the drop-down for "SQS queue" doesn't show any queues.
The AWS policy doc has
"Action": [
"sqs:GetQueueAttributes",
"sqs:ListQueues"
],
So I'm not sure why the Splunk App for AWS isn't showing anything. Did anyone experience this?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's a bug in the code. I haven't tested it completely, but on or about line 152 of $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.py, you'll see something like:
for topic_name in topics:
make a backup of the file and change it to
if topic_name:
Then remove $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/aws/aws_utils.pyc (note the trailing c) and try again.
"/opt/splunk/etc/apps/splunk_app_aws/bin/aws/aws_utils.py" line 154 of 693 --22%-- col 13
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same problem, this fixed it for me. I'm running Splunk App for AWS v4.2.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running SplunkCloud here as well. This really needs to be fixed, as it severely impacts Splunk's key feature of log ingestion and parsing. Plus it's embarrassing for me to be telling my boss "why isn't it fixed yet" and pull out a lame excuse of "it's a Splunk issue"... and the comeback of "If Splunk is flaky like this, why did spend thousands on it?"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I'm running Splunk Cloud, so not sure how I go about doing that change (if at all possible)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same problem on Splunk Cloud with trying to configure Config and Cloudtrail ingestion via SQS. It is not a permission issue.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
