I created the data input for AWSConfig by modifying inputs.conf file but I dont see sourcetype aws:config created under Splunk. The AWSConfig messages are sitting in the SQS queue which means Splunk is not polling from the queue. Any idea what the issue is? how do I troubleshoot the issue?
Asked
Active
Viewed 171 times
1 Answers
0
Assuming the plumbing is working correctly (i.e. you are seeing the SNS notifications collect in the queue), and Splunk is indeed polling the correct queue, the only thing I would suggest is checking the permissions on queue.
Also, Splunk has an app that does this for you, if you prefer https://aws.amazon.com/config/partners/splunk/
