We're trying to grab cloudtrail datasources from AWS using the Splunk_TA_aws and even though the documentation says that initial_scan_datetime should be configured as a relative time (per: https://docs.splunk.com/Documentation/AddOns/released/AWS/S3 ) .. the UI configuration rejects that format.
And when we try to enter a specific date/time ... ie:
initial_scan_datetime = 2018-04-01T00:00:00Z
... Splunk still starts trying to collect data as far back as it exists ... ( in our case: 2016 )
We've also tried: (per the S3 documentation page )
initial_scan_datetime = -7d@d
And that also fails.
Are we configuring the inputs incorrectly, or is this a bug.
the initial_scan_datetime cannot be edited once the input is created, maybe you are facing challenges because of this.
As per Splunk documentation: The add-on starts to collect data later than this time. If you leave this field empty, the default value is 90 days before the input is configured.
Note: Once the input is created, this value cannot be changed.
Can you try the following:
delete/move the S3 bucket -> remove the stanza from your inputs.conf -> add your settings for initial_scan_datetime in the inputs.conf -> restart splunk services (config changes will only be capture after a restart) -> add the S3 bucket again in the monitored location.
Do let me know if this works. Also, since its been a while that you have posted this question, you might have figured out a solution, in that case do let me know what had fixed this issue (even if it is an temporary solution).