All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues with applying TZ property for AWS CloudWatch log group inputs

sanjeev543
Communicator
‎05-17-2020 12:22 AM

Hi All,

I am using the Splunk Add-On for AWS to fetch the CloudWatch log group events, add-on is installed on HF and all the logs are getting TZ property from System TZ property of HF(EDT). Now I wanted to change the TZ for couple of CloudWatch log groups to UTC.
Hence, I tried configuring the props.conf in the Splunk_TA_AWS/local with following settings

[cloudwatch:lamba:groups]
TZ = UTC

But I don't see logs are getting this property getting applied for this sourcetype logs
Is there some other way, we need to config TZ property for AWS logs.

0 Karma
Reply

to4kawa
Ultra Champion
‎05-17-2020 01:27 AM

The time zone issue is basically changed to EPOCH time, so I think it's a user preference issue.

The question is.

When searching the log with the user preference UTC, but _time is not UTC.

Is it this?

0 Karma
Reply

sanjeev543
Communicator
‎05-17-2020 02:38 AM

Yes, even when the user has UTC, it's still showing the _time as EDT i.e time in event and _time are not matching

0 Karma
Reply

to4kawa
Ultra Champion
‎05-17-2020 02:54 AM

If there is not timezone strings(e.g. EDT, JST), TZ is works.

Can you use TZ_ALIAS = on props.conf ?

and props.conf is required not only for HF but also for indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...