We ran into this same issue unfortunately. A previous administrator set it up using Generic S3. Over time the performance got so bad we tried using Incremental S3 and ran into this issue. Due to the history and the need to 'just make it work', we went the route of modifying the app to include the org id in the path. The caveat here is that this means you can't use the CloudTrail Incremental S3 input for anything else unless it contains the same org id structure. It also means we're running the app on an on-prem forwarder and not within Splunk Cloud... In our case our plan is to move to streaming logs through HEC via Amazon Kinesis, so the workaround is temporary. Otherwise I would have not agreed to hacking up the add-on in the first place... File Splunk_TA_aws/bin/splunk_ta_aws/modinputs/incremental_s3/cloudtrail_logs.py def _enumerate_partitions(self, s3, bucket):
partitions = list()
#prefix = self._prefix + 'AWSLogs/'
prefix = self._prefix + 'AWSLogs/o-1234567890/'
... View more