Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where to check the clock skew?

vrmandadi
Builder
‎07-02-2019 11:12 AM

I have issues with clustering .I tried running the resync command but it says "Downloaded an old snapshot created 10018 seconds ago; Check for clock skew on this member or the captain; If no clock skew is found, check the captain for possible snapshot creation failures
"

Where can I see the clock skew and where can I change it

Labels (1)
Labels
0 Karma
Reply

amitm05
Builder
‎07-02-2019 11:50 AM

Hi @vrmandadi

You can run this to check for time skew among your instances - 

| rest /services/server/info | eval updated_t=round(strptime(updated, "%Y-%m-%dT%H:%M:%S%z"), 2) | eval delta=now()-updated_t | table serverName, updated, delta | convert ctime(updated_t)| rename updated as "Local Time on Server on Request" delta as "Offset - Time in Seconds"

And if you find some gap here, you might want to set your server clocks
Also check -
https://docs.splunk.com/Documentation/Splunk/7.3.0/DistSearch/Troubleshootdistributedsearch

Reply

fredclown
Builder
‎06-08-2023 09:48 AM

I'm not sure this works any more. The update field that is returned from the REST API is always set to"1969-12-31T16:00:00-08:00" for all my servers. Maybe it's just my environment. Anyway, here is an alternate solution.

| rest splunk_server=* /services/search/jobs/export search="| makeresults count=1 | rename _time as time" output_mode=csv
| makemv tokenizer="([^\n]+)" value
| eval local_time=now()
| eval remote_time=mvindex(value,1)
| eval local_time_formatted=strftime(local_time, "%Y-%m-%d %H:%M:%S")
| eval remote_time_formatted=strftime(remote_time, "%Y-%m-%d %H:%M:%S")
| eval delta_secs=abs(local_time-remote_time)
| fields splunk_server, local_time_formatted, remote_time_formatted, delta_secs
| sort - delta_secs

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2023 10:52 AM

To be honest, I know that if you have Splunk you probably want to do everything in Splunk but monitoring the time sync state is something I'd rather do at OS level using your favourite monitoring software (zabbix, nagios, whatever).

0 Karma
Reply

amitm05
Builder
‎07-02-2019 10:54 PM

Let me know by accepting the answer if it responds your query. Thanks

0 Karma
Reply

lmvmandadi
Engager
‎07-12-2019 02:20 PM

I checked the time but the offset-time in seconds did not show anything .But still the error persists

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...