Issues with applying TZ property for AWS CloudWatc...

sanjeev543 · ‎05-17-2020

Hi All,

I am using the Splunk Add-On for AWS to fetch the CloudWatch log group events, add-on is installed on HF and all the logs are getting TZ property from System TZ property of HF(EDT). Now I wanted to change the TZ for couple of CloudWatch log groups to UTC.
Hence, I tried configuring the props.conf in the Splunk_TA_AWS/local with following settings

[cloudwatch:lamba:groups]
TZ = UTC

But I don't see logs are getting this property getting applied for this sourcetype logs
Is there some other way, we need to config TZ property for AWS logs.

to4kawa · ‎05-17-2020

The time zone issue is basically changed to EPOCH time, so I think it's a user preference issue.

The question is.

When searching the log with the user preference UTC, but _time is not UTC.

Is it this?

sanjeev543 · ‎05-17-2020

Yes, even when the user has UTC, it's still showing the _time as EDT i.e time in event and _time are not matching

to4kawa · ‎05-17-2020

If there is not timezone strings(e.g. EDT, JST), TZ is works.

Can you use TZ_ALIAS = on props.conf ?

and props.conf is required not only for HF but also for indexer.

Issues with applying TZ property for AWS CloudWatch log group inputs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms