All Apps and Add-ons

Issues with applying TZ property for AWS CloudWatch log group inputs

sanjeev543
Communicator

Hi All,

I am using the Splunk Add-On for AWS to fetch the CloudWatch log group events, add-on is installed on HF and all the logs are getting TZ property from System TZ property of HF(EDT). Now I wanted to change the TZ for couple of CloudWatch log groups to UTC.
Hence, I tried configuring the props.conf in the Splunk_TA_AWS/local with following settings

[cloudwatch:lamba:groups]
TZ = UTC

But I don't see logs are getting this property getting applied for this sourcetype logs
Is there some other way, we need to config TZ property for AWS logs.

0 Karma

to4kawa
Ultra Champion

The time zone issue is basically changed to EPOCH time, so I think it's a user preference issue.

The question is.

When searching the log with the user preference UTC, but _time is not UTC.

Is it this?

0 Karma

sanjeev543
Communicator

Yes, even when the user has UTC, it's still showing the _time as EDT i.e time in event and _time are not matching

0 Karma

to4kawa
Ultra Champion

If there is not timezone strings(e.g. EDT, JST), TZ is works.

Can you use TZ_ALIAS = on props.conf ?

and props.conf is required not only for HF but also for indexer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...