I have cloudtrail logs for around 20 AWS accounts that I want to pull into Splunk. I'm using Splunk Web.
The way I'm doing this is to create a single bucket to store the cloudtrail logs and then a separate trail, sns topic, and sqs queue for each region in each account.
In Splunk, I create an input for each account and then add the sqs queue for each region to the input. That way I pull in separate SQS queues but they are still under one input.
In total, I'll have around 20 inputs for AWS if I do it this way. Should be this be fine in Splunk Web?
It seems like adding multiple accounts GREATLY increases cpu usage. Additional accounts seems to slow splunk web down considerably. I spun up a c4.2xlarge in AWS and The cpu is at almost 90% with 7 accounts added with cloudtrail inputs for each account. This is sort of frustrating. I'm thinking my only other option is to just configure an s3 input for splunk. I would think I'd be able to pull in more accounts than this.