All Apps and Add-ons

Issues with applying TZ property for AWS CloudWatch log group inputs

sanjeev543
Communicator

Hi All,

I am using the Splunk Add-On for AWS to fetch the CloudWatch log group events, add-on is installed on HF and all the logs are getting TZ property from System TZ property of HF(EDT). Now I wanted to change the TZ for couple of CloudWatch log groups to UTC.
Hence, I tried configuring the props.conf in the Splunk_TA_AWS/local with following settings

[cloudwatch:lamba:groups]
TZ = UTC

But I don't see logs are getting this property getting applied for this sourcetype logs
Is there some other way, we need to config TZ property for AWS logs.

0 Karma

to4kawa
Ultra Champion

The time zone issue is basically changed to EPOCH time, so I think it's a user preference issue.

The question is.

When searching the log with the user preference UTC, but _time is not UTC.

Is it this?

0 Karma

sanjeev543
Communicator

Yes, even when the user has UTC, it's still showing the _time as EDT i.e time in event and _time are not matching

0 Karma

to4kawa
Ultra Champion

If there is not timezone strings(e.g. EDT, JST), TZ is works.

Can you use TZ_ALIAS = on props.conf ?

and props.conf is required not only for HF but also for indexer.

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...