Troubleshoot AWS IAM Credential Report data ingestion
Troubleshoot the AWS IAM Credential Report data ingestion process.
IAM Credential Report data cannot be found
AWS IAM Credential Report data cannot be found
Cause
AWS IAM Credential Reports are not configured correctly, or Splunk HEC is not configured correctly.
Solution
- Check the Splunk side HEC configuration. See the HTTP Event Collector (HEC) configuration reference topic in this manual to troubleshoot Splunk software-side HEC configurations.
- Log in to the AWS Management Console for the us-east-1 region.
- Navigate to EventBridge > Rules and check if
SplunkDMIAMCredentialReportScheduleRule
exists.SplunkDMIAMCredentialReportScheduleRule
will be created only in us-east-1, even if you onboard other regions. - Select
SplunkDMIAMCredentialReportScheduleRule
and verify the following information:Check Expected Value Status Enabled Target SplunkDMIAMCredentialReport Lambda function Monitoring This event rule triggers the Lambda function. If you click on Metrics for the rule, the graph will show invocations with same time interval.
- Navigate to the Target(s) section, and click on SplunkDMIAMCredentialReport.
- Navigate to the Lambda function, and select the Configuration > Environment Variables under the Configuration tab.
- Under the Environment variables section, verify the following Key/Value information:
SPLUNK_DATA_MANAGER_INPUT_ID
SPLUNK_HEC_HOST
SPLUNK_HEC_TOKEN
- Select the Monitor tab, and review the Invocations graph to verify if the Lambda function has been invoked. This lambda function is invoked by
SplunkDMIAMCredentialReportScheduleRule
at specified intervals. The logs of the Lambda function related to sending events to Splunk via HEC token can be found in CloudWatch Logs. To view logs, click "View logs in CloudWatch".
The
ReportNotPresent
error is expected when a new credential report needs to be created. - If the event rule or Lambda function is still not found in the AWS console, then recreate the stack or delete and recreate your Data Manager data input.
- If the configuration is correct and your data still cannot be found, Contact Splunk Support.
Troubleshoot AWS IAM Access Analyzer data ingestion | Troubleshoot AWS EC2 Instance data ingestion |
This documentation applies to the following versions of Data Manager: 1.8.1
Feedback submitted, thanks!