Thanks for your reply. Here are some of my errors after I applied your suggestion:
05-05-2014 18:10:00.495 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SplunkAppforAWS/bin/aws-cloudtrail.py" File "/apps/splunk/etc/apps/SplunkAppforAWS/bin/aws-cloudtrail.py", line 219, in run
05-05-2014 18:10:00.495 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SplunkAppforAWS/bin/aws-cloudtrail.py" logging.debug("reading message with id %s at %s",envelope["MessageId"],envelope["Timestamp"])
05-05-2014 18:10:00.495 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SplunkAppforAWS/bin/aws-cloudtrail.py" KeyError: 'MessageId'
I added in a debug line and I do get similar output as you, just in a different order (the "s3bucket" object and value is before the s3ObjectKey) but then I get the errors above...
... View more