We have a large number of separate AWS accounts that we are collecting VPC flowlog data from. Each of these accounts will push to a centralized account that has Kinesis streams deployed in all of our active regions. We have an input created for each region's stream. The data looks to be getting indexing properly within Splunk, though the Splunk App VPC flowlog dashboards don't display any data.
Looking at the searches on the dashboards, they are set to look for source="dest_port" or source="src_ip". Our ingested data looks more like source="us-east-1:VPCFlowLogs:eni-12345678-all" for this part of the event. Is this input type incompatible with Kinesis streams that receive cross-account input? We would really like to avoid having to pay for and manage streams in every account separately, as well as configure new inputs every time we add a new account.
↧