Data Manager

Troubleshooting Manual

This documentation does not apply to the most recent version of Data Manager. For documentation on the most recent version, go to the latest release.

Troubleshoot AWS IAM Credential Report data ingestion

Troubleshoot the AWS IAM Credential Report data ingestion process.

IAM Credential Report data cannot be found

AWS IAM Credential Report data cannot be found

Cause

AWS IAM Credential Reports are not configured correctly, or Splunk HEC is not configured correctly.

Solution

  1. Check the Splunk side HEC configuration. See the HTTP Event Collector (HEC) configuration reference topic in this manual to troubleshoot Splunk software-side HEC configurations.
  2. Log in to the AWS Management Console for the us-east-1 region.
  3. Navigate to EventBridge > Rules and check if SplunkDMIAMCredentialReportScheduleRule exists.

    SplunkDMIAMCredentialReportScheduleRule will be created only in us-east-1, even if you onboard other regions.

  4. Select SplunkDMIAMCredentialReportScheduleRule and verify the following information:
    Check Expected Value
    Status Enabled
    Target SplunkDMIAMCredentialReport Lambda function
    Monitoring This event rule triggers the Lambda function. If you click on Metrics for the rule,

    the graph will show invocations with same time interval.

  5. Navigate to the Target(s) section, and click on SplunkDMIAMCredentialReport.
  6. Navigate to the Lambda function, and select the Configuration > Environment Variables under the Configuration tab.
  7. Under the Environment variables section, verify the following Key/Value information:
    • SPLUNK_DATA_MANAGER_INPUT_ID
    • SPLUNK_HEC_HOST
    • SPLUNK_HEC_TOKEN
  8. Select the Monitor tab, and review the Invocations graph to verify if the Lambda function has been invoked. This lambda function is invoked by SplunkDMIAMCredentialReportScheduleRule at specified intervals. The logs of the Lambda function related to sending events to Splunk via HEC token can be found in CloudWatch Logs. To view logs, click "View logs in CloudWatch".

    The ReportNotPresent error is expected when a new credential report needs to be created.

  9. If the event rule or Lambda function is still not found in the AWS console, then recreate the stack or delete and recreate your Data Manager data input.
  10. If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Last modified on 07 September, 2022
Troubleshoot AWS IAM Access Analyzer data ingestion   Troubleshoot AWS EC2 Instance data ingestion

This documentation applies to the following versions of Data Manager: 1.7.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters