I ran into this same issue, it was because the custom search command "getchecks" doesn't return a result, so the lookup csv trusted_advisor_checks.csv remains empty. I didn't get it to work from our Splunk Cloud instance, but I queried the AWS API myself and imported the generated lookup file using the Lookup Editor app. The code below is extracted from the custom search command, and prints the id, name and category in a CSV fashioned way. I left the field "description" out because it contains comma's, so you'll need to edit some searches in the dashboard of the AWS Trusted Advisor Aggregator app. Hope this helps!
Cheers,
Christiaan
import boto3
from botocore.exceptions import EndpointConnectionError
from botocore.exceptions import ClientError
def get_checks(results):
events = []
row = {}
for check in results:
row['id'] = check['id']
row['name'] = check['name']
row['category'] = check['category']
row['description'] = check['description']
events.append(row)
print(row['id'] + "," + row['name'] +","+row['category'])
row = {}
if __name__ == "__main__":
session_token=None
region = 'us-east-1'
try:
client = boto3.client(
'support',
region_name=region
)
checks = client.describe_trusted_advisor_checks(language='en')['checks']
output=get_checks(checks)
splunk_results = output
except EndpointConnectionError as e:
message = '{}'.format(e)
print(message)
except ClientError as e:
message = '{}'.format(e)
print(message)
... View more