[BUG] #466
Description
Describe the bug
Hi,
I am using SA eventgen in windows 10 tring to ingest aws eventgen, here an example:
{"eventVersion": "1.08", "userIdentity": {"type": "AWSService", "invokedBy": "ops.apigateway.amazonaws.com"}, "eventTime": "2022-08-02T13:47:42Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRole", "awsRegion": "eu-central-1", "sourceIPAddress": "ops.apigateway.amazonaws.com", "userAgent": "ops.apigateway.amazonaws.com", "requestParameters": {"roleArn": "arn:aws:iam::696714140038:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway", "roleSessionName": "xray-daemon-1659448061988075425", "durationSeconds": 3600}, "responseElements": {"credentials": {"accessKeyId": "ASIA2EN3GDGDF4ON22XX", "sessionToken": "IQoJb3JpZ2luX2VjEB4aDGV1LWNlbnRyYWwtMSJGMEQCIEQPu+fl7AMBoT/amUy4tBnuH82FyPg2AJ7rxmJ/Awx3AiBrEDfYAz74JNrvpOL13rmNUiFbU+qPU+3GZmSYvGAosSruAgh3EAEaDDY5NjcxNDE0MDAzOCIMVbtH4xwWc/V6PCrRKssCS78fBwWU9shPmq0zKZE06uRQxpEc3xJy1DP5Rr1IO8LpAtI67C15EPthLXu5htkidk20NcZIx0kuAXak4gkhdaJT86Brqjp+1WcwAB/nwVA05V5FCyz4hBwDoxLnv8uFYd7mbolo8QwP+PO7A0RdxoHeDnBYRLqUJneRuMdSymuFi/P/nGk5ODhguPJExNNRej3BYCQ2MGHzWETG65S7rPikQynfVm/0Ka3TN9a0eKCIQIaaR6hVZYY4ddk4dv6Y0LoRLcXAEy/OWeA/LEL640umX5G2UC8qaKixVxcJraAhQ0c4/C+5M/A34WziojTXgW/VHmS4xzfLmJFQahNhhX/Z0anbHmN/6MGwJU4Iq/NcNa0kTERgRiZNylXcCCyLqz1xuzFLg8XS5CL+KEKSVA7mE+S3EUs37E80ypbY+hL08Zie+OsoJwSO8zD91aSXBjrAAfQ+KamRkrsPX2UzkT3b7NqeI60L/eBXDwOIgnWGwbLdJYYLfdR7w2mXpgnhrPJZ9IgHwbXAMyJ8jYnCRaoxCxZFYOsFdRMu5hXDFT36XFO/auHsIjuNlt2jF84XXWx/H11xPRwBNeXPvH8thruRRw9Ihm96ysXUwGk6jyFqeCBkiSe8TLjXKP9FEgwe9qheKO9G/p97CBlD4FboNXzEkT0qao8uz0JgE6BQRLEONpFD3BynVu3Dr/F454gHjuIp8Q==", "expiration": "Aug 2, 2022, 2:47:41 PM"}, "assumedRoleUser": {"assumedRoleId": "AROA2EN3GDGDKCBZVCZ4H:xray-daemon-1659448061988075425", "arn": "arn:aws:sts::696714140038:assumed-role/AWSServiceRoleForAPIGateway/xray-daemon-1659448061988075425"}}, "requestID": "23929e27-9c6e-4900-867f-07df08ecd76b", "eventID": "c3fedc30-3f02-44e1-ac85-2e0770ae0ced", "readOnly": false, "resources": [{"accountId": "696714140038", "type": "AWS::IAM::Role", "ARN": "arn:aws:iam::696714140038:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "696714140038", "sharedEventID": "4e8cad28-6113-41bd-91ba-a96b9131676b", "eventCategory": "Management"},
this is my eventgen.conf:
[merged_file.json]
mode = replay
end = 1
index = eventgen
sourcetype = aws:cloudtrail
token.0.token = "eventTime": "(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z)"
token.0.replacementType = replaytimestamp
token.0.replacement = %Y-%m-%dT%H:%M:%SZ
my problem:
The logs are ingested, the time field 'eventTime' was replaced correctly, but the ingestion time (the field '_time'), the actualy time that the event was indexed is +3 hours. my time zone is utc+3 and I think it is affiliates. I tried to change the time zone in the preferences of the user but then the splunk clock change as well and not correlated to the sys clock.
I will be glad for any help,
thanks!