Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

SearchHead with different times (_time)

isac_santana
Explorer
‎10-29-2024 07:26 AM

Good morning,

I need help. I have three SearchHead servers.

Two of them (SH1 and SH2) are presenting the "_time" field correctly. However, the other server (SH3) is presenting the "_time" field with three hours more than the other two (SH1 and SH2).

How do I resolve this?


SH2 - Normal

isac_santana_0-1730211725301.png


SH3 - With three more hours. (With same search range)

isac_santana_1-1730211866683.png

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pavinic
Engager
‎10-30-2024 07:41 AM

Siga os comandos abaixo no linux, compare com os servidores existentes, e aplique o timezone desejado

# MUDAR TIMEZONE DO SERVICOR via linux
# identifica timezone do servidor
timedatectl
# lista os timezones
timedatectl list-timezones
# configura o timezone desejado
sudo timedatectl set-timezone America/Sao_Paulo
 
Captura de Tela 2024-10-30 às 11.12.19.png

View solution in original post

Reply
Solved! Jump to solution
Solution

pavinic
Engager
‎10-30-2024 07:41 AM

Siga os comandos abaixo no linux, compare com os servidores existentes, e aplique o timezone desejado

# MUDAR TIMEZONE DO SERVICOR via linux
# identifica timezone do servidor
timedatectl
# lista os timezones
timedatectl list-timezones
# configura o timezone desejado
sudo timedatectl set-timezone America/Sao_Paulo
 
Captura de Tela 2024-10-30 às 11.12.19.png
Reply
Solved! Jump to solution

dural_yyz
Motivator
‎10-29-2024 07:57 AM

Are the search heads in the same time zone, are they configured for the same time zone?

Are the user profiles set to the appropriate time zone?

There are a lot of factors at play here and mostly to do with local configurations which you haven't confirmed yet.

0 Karma
Reply
Solved! Jump to solution

isac_santana
Explorer
‎10-29-2024 11:13 AM

Hey, good afternoon.

The configurations on these servers weren't done by me, and I have limited knowledge of Splunk administration. That’s why it's been challenging to identify where the "_time" discrepancy is coming from.

  • The search query is exactly the same, retrieving the same data within the same time range.

  • The user’s timezone is set to "Default System TimeZone."

  • I believe all the SHs are also set to "Default System TimeZone" (although it’s been difficult to confirm this information).

SH1 and SH2 are older servers, while SH3, which shows the difference in "_time," is a recently installed and configured server within the cluster (also configured by someone else).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...