Thanks for your reply on this. We were seeing JSON array, which Splunk failed to recognize and make it searchable. We were using Lambda for transformation and one change to Firehose configuration from "Raw" to "Event" for the field "Splunk End Point" helped resolve the issue. Also, I change the source type "aws:cloudwatch" to based on the tests written for lambda. https://github.com/splunk/splunk-aws-cloudwatch-streaming-metrics-processor/blob/main/SplunkAWSCloudWatchStreamingMetricsProcessor/test_lambda_function.py It will be good if the documentation - Source types for the Splunk Add-on for AWS - Splunk Documentation also can be updated to say the source type "aws:cloudwatch" to be used if Lambda function - splunk-aws-cloudwatch-streaming-metrics-processor is used for streaming. This request can be closed with above comments.
... View more