Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to force timezone for AWS Add-On Inputs (like CloudFront)

rewtroy
Explorer
‎10-26-2021 04:57 PM

With the AWS Add-On for Splunk (version 5.0.3) we can pull logs from a CloudFront S3 bucket via the "Generic S3" type, or from an Application Load Balance with the ELB, Generic S3 type Input.

The problem is that the time format for the CloudFront logs are without timezone specified in the S3 objects and our splunk instance is incorrectly defaulting to localtime.  The ELB logs are correctly converted from UTC to localtime in searches.

How might we force the timezone to UTC for these events at ingest?

I tried creating a /opt/splunk/etc/apps/Splunk_TA_aws/local/props.conf file (yes, $SPLUNK_HOME is /opt/splunk) on our heavy forwarder and restarted with this content:

[aws:cloudfront:accesslogs]
TZ = UTC

Alas, no dice yet.  Suggestions?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rewtroy
Explorer
‎11-03-2021 06:43 AM

Ahh, I think I found the issue.  The TA was pulling in data when it thought it occurred at the present time, but it was interpreting UTC time as -0400 (EDT), thus it was always 4 hours behind the latest.  When it was unwedged, it kept processing data for another four hours and stopped, but I also introduced another problem which caused it to abruptly stop.  I fixed that problem, and retroactively loaded in the old data, so it was able to catch up the gap.  Sometimes you need to spend many hours on a timezone problem before the evidence catches up with you.

Problem now solved.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rewtroy
Explorer
‎10-26-2021 05:12 PM

Hmm,

[splunk@ess1 Splunk_TA_aws]$ splunk btool props list aws:cloudfront:accesslogs | grep TZ
TZ = UTC

0 Karma
Reply
Solved! Jump to solution
Solution

rewtroy
Explorer
‎11-03-2021 06:43 AM

Ahh, I think I found the issue.  The TA was pulling in data when it thought it occurred at the present time, but it was interpreting UTC time as -0400 (EDT), thus it was always 4 hours behind the latest.  When it was unwedged, it kept processing data for another four hours and stopped, but I also introduced another problem which caused it to abruptly stop.  I fixed that problem, and retroactively loaded in the old data, so it was able to catch up the gap.  Sometimes you need to spend many hours on a timezone problem before the evidence catches up with you.

Problem now solved.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...