Splunk_TA_aws initial_scan_datetime not being hono...

pkeller · ‎06-07-2018

We're trying to grab cloudtrail datasources from AWS using the Splunk_TA_aws and even though the documentation says that initial_scan_datetime should be configured as a relative time (per: https://docs.splunk.com/Documentation/AddOns/released/AWS/S3 ) .. the UI configuration rejects that format.

And when we try to enter a specific date/time ... ie:

 initial_scan_datetime = 2018-04-01T00:00:00Z

... Splunk still starts trying to collect data as far back as it exists ... ( in our case: 2016 )

We've also tried: (per the S3 documentation page )

 initial_scan_datetime = -7d@d

And that also fails.

Are we configuring the inputs incorrectly, or is this a bug.

soumyasaha25 · ‎06-18-2018

the initial_scan_datetime cannot be edited once the input is created, maybe you are facing challenges because of this.

As per Splunk documentation: The add-on starts to collect data later than this time. If you leave this field empty, the default value is 90 days before the input is configured.
Note: Once the input is created, this value cannot be changed.

Can you try the following:
delete/move the S3 bucket -> remove the stanza from your inputs.conf -> add your settings for initial_scan_datetime in the inputs.conf -> restart splunk services (config changes will only be capture after a restart) -> add the S3 bucket again in the monitored location.

Do let me know if this works. Also, since its been a while that you have posted this question, you might have figured out a solution, in that case do let me know what had fixed this issue (even if it is an temporary solution).

Splunk_TA_aws initial_scan_datetime not being honored

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor