Universal Forwarder Local Clock

santosh_sshanbh — Mon, 02 Mar 2020 08:29:01 GMT

I have more than 100 UF deployed and wan to know the date and time of each of the forwarders to be shown in real time basis on a dashboards. How I can read the clock data of a UF on a real time basis?

Re: Universal Forwarder Local Clock

nickhills — Mon, 02 Mar 2020 14:32:40 GMT

Best practice is that all of your forwarders uses a synchronised time source, in many cases thats likely NTP or the Windows Time Service.

The problem with your question, is how would you trust what a UF thinks its time is vs what it really is.

You would be relying on the UF knowing two times - the real time, and its local time.
You could write a simple scripted input to query a known good time source like an ntp server, and write its result alongside your UF's local time into a logfile and configure your inputs.conf to collect both times so you could compare any drift (but you can expect a few ms difference between the two even on a perfectly synced system)

Then, there is your use of the dreaded phrase "real time". At the risk of running away on a tangent, take a look at this post for reasons why "real-time" in your use case is probably a bad idea.
https://answers.splunk.com/answers/734767/why-are-realtime-searches-disliked-in-the-splunk-w.html

Re: Universal Forwarder Local Clock

santosh_sshanbh — Tue, 03 Mar 2020 05:53:24 GMT

Thanks for the inputs. QQ, can you share some thoughts on how to get the time of NTP server?

topic Universal Forwarder Local Clock in Splunk Enterprise

Universal Forwarder Local Clock

Re: Universal Forwarder Local Clock

Re: Universal Forwarder Local Clock