All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_aws initial_scan_datetime not being honored

pkeller
Contributor
‎06-07-2018 10:44 AM

We're trying to grab cloudtrail datasources from AWS using the Splunk_TA_aws and even though the documentation says that initial_scan_datetime should be configured as a relative time (per: https://docs.splunk.com/Documentation/AddOns/released/AWS/S3 ) .. the UI configuration rejects that format.

And when we try to enter a specific date/time ... ie:

 initial_scan_datetime = 2018-04-01T00:00:00Z

... Splunk still starts trying to collect data as far back as it exists ... ( in our case: 2016 )

We've also tried: (per the S3 documentation page )

 initial_scan_datetime = -7d@d

And that also fails.

Are we configuring the inputs incorrectly, or is this a bug.

Tags (1)
Reply

soumyasaha25
Contributor
‎06-18-2018 01:45 AM

the initial_scan_datetime cannot be edited once the input is created, maybe you are facing challenges because of this.

As per Splunk documentation: The add-on starts to collect data later than this time. If you leave this field empty, the default value is 90 days before the input is configured.
Note: Once the input is created, this value cannot be changed.

Can you try the following:
delete/move the S3 bucket -> remove the stanza from your inputs.conf -> add your settings for initial_scan_datetime in the inputs.conf -> restart splunk services (config changes will only be capture after a restart) -> add the S3 bucket again in the monitored location.

Do let me know if this works. Also, since its been a while that you have posted this question, you might have figured out a solution, in that case do let me know what had fixed this issue (even if it is an temporary solution).

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...