topic servers time validation in Getting Data In https://community.splunk.com/t5/Getting-Data-In/servers-time-validation/m-p/517923#M87602 <P>good morning</P><P>Is there a way to validate the time of the current splunk servers? Let me explain, during these days there will be a time change so the servers should update their time automatically, but I have seen over time that not all servers are correctly patched, for example a universal forwarder sends certain data and the sourcetype was configured like current_time, this would cause events to arrive either late or early.</P><P>Currently I have this query to validate the time of the servers but I do not know if it is correct.</P><P>| metadata type = hosts index = _internal<BR />| search host = splunk *<BR />| eval recent_time = Now () - recentTime<BR />| eval r_time = strftime (recentTime, "% m /% d /% and% H:% M:% S")<BR />| table host r_time</P><P>Any information is appreciated</P><P>Regards</P> Fri, 04 Sep 2020 14:14:22 GMT efaundez 2020-09-04T14:14:22Z servers time validation https://community.splunk.com/t5/Getting-Data-In/servers-time-validation/m-p/517923#M87602 <P>good morning</P><P>Is there a way to validate the time of the current splunk servers? Let me explain, during these days there will be a time change so the servers should update their time automatically, but I have seen over time that not all servers are correctly patched, for example a universal forwarder sends certain data and the sourcetype was configured like current_time, this would cause events to arrive either late or early.</P><P>Currently I have this query to validate the time of the servers but I do not know if it is correct.</P><P>| metadata type = hosts index = _internal<BR />| search host = splunk *<BR />| eval recent_time = Now () - recentTime<BR />| eval r_time = strftime (recentTime, "% m /% d /% and% H:% M:% S")<BR />| table host r_time</P><P>Any information is appreciated</P><P>Regards</P> Fri, 04 Sep 2020 14:14:22 GMT https://community.splunk.com/t5/Getting-Data-In/servers-time-validation/m-p/517923#M87602 efaundez 2020-09-04T14:14:22Z Re: servers time validation https://community.splunk.com/t5/Getting-Data-In/servers-time-validation/m-p/517974#M87612 <P>Hi</P><P>I haven’t had splunk in my hands now to check this, but I suppose that metadata recentTime is splunk server time not the UF time? If you want to check UF’s time then just look event’s _time from _internal and use also %z to see that time zone is correct and time conversion has done right.<BR />r. Ismo</P> Fri, 04 Sep 2020 20:25:05 GMT https://community.splunk.com/t5/Getting-Data-In/servers-time-validation/m-p/517974#M87612 isoutamo 2020-09-04T20:25:05Z