https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505723#M4289 It will "work" in that it will assign the current time to each event that arrives. It masks the latency problem. It makes old events look like new events and may throw off your reports. Tue, 23 Jun 2020 12:29:18 GMT richgalloway 2020-06-23T12:29:18Z https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505234#M4262 <P>I am receiving the logs from the forwarders and can see latency between index time and event time. We have difference between index time and event time is about 15 to 16 hours on more than 300 forwarders. How can&nbsp; i fix this issue?</P> Fri, 19 Jun 2020 17:58:19 GMT https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505234#M4262 uagraw01 2020-06-19T17:58:19Z https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505239#M4263 <P>That's not (usually) a simple fix.&nbsp; There are a variety of causes and finding the root cause will likely require intimate knowledge of your environment.</P><P>Some things to check include:</P><UL><LI>All servers are using NTP (or an equivalent time-sync service)</LI><LI>Time zones are set properly on each server</LI><LI>Event timestamps include a time zone indication or inputs.conf contains the <FONT face="courier new,courier">TZ</FONT> attribute</LI><LI>Props.conf has&nbsp;<FONT face="courier new,courier">TIME_FORMAT</FONT> attributes that correctly extract the time zone from event timestamps</LI><LI>All Splunk forwarders are always running</LI><LI>Any intermediate servers or processes are always running</LI><LI>Events are not cached by the generating server/process before they are sent to Splunk</LI></UL> Fri, 19 Jun 2020 18:27:21 GMT https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505239#M4263 richgalloway 2020-06-19T18:27:21Z https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505653#M4288 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;Is DATETIME_CONFIG = CURRENT will work ?&nbsp;</P> Tue, 23 Jun 2020 05:53:04 GMT https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505653#M4288 uagraw01 2020-06-23T05:53:04Z https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505723#M4289 It will "work" in that it will assign the current time to each event that arrives. It masks the latency problem. It makes old events look like new events and may throw off your reports. Tue, 23 Jun 2020 12:29:18 GMT https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505723#M4289 richgalloway 2020-06-23T12:29:18Z https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505739#M4290 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; Any other solution you can suggest to me. Because our thruput limit is set to 1024kb and that is fine . Any major issue we can fix this permanently.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Jun 2020 13:15:33 GMT https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505739#M4290 uagraw01 2020-06-23T13:15:33Z https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505743#M4291 I offered 7 possible solutions in my first reply. Have you checked them? Tue, 23 Jun 2020 13:41:24 GMT https://community.splunk.com/t5/Monitoring-Splunk/Date-latency/m-p/505743#M4291 richgalloway 2020-06-23T13:41:24Z