Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Different timestamp recognition for same stanza

bfernandez
Communicator
‎11-27-2012 02:28 PM

I am gathering perfmon data from two windows servers but Splunk 5.0 no correctly recognize the timestamp in one of them.

[perfmon://LocalPhysicalDisk]
counters = % Free Space;Free Megabytes
interval = 60
object = LogicalDisk
disabled = 0

Wrong timestamp data is generated on a cloud server with a different time that our network although we are both using the default Microsoft ntp server.

Splunk Timestamp Data Timestamp
11/22/12 9:53:49.765 PM 11/22/2012 21:53:49.765 (local sever)
11/22/12 10:05:38.000 PM 11/22/2012 22:06:21.062 (cloud server)

Why Splunk doesn’t simply use the timestamp of the data?

Thanks!!

Reply

bfernandez
Communicator
‎12-19-2012 09:53 AM

I am using the default value /etc/datetime.xml to recognise the timestamp in data

Reply

sowings
Splunk Employee
Splunk Employee
‎12-19-2012 09:03 AM

Do you have DATETIME_CONFIG = CURRENT in your props.conf?

0 Karma
Reply

gfuente
Motivator
‎12-19-2012 08:29 AM

Hello Borja

You should set up correctly the time configuration from windows time to syncronize with a central time server

Reagrds

Reply

bfernandez
Communicator
‎11-29-2012 10:55 AM

All the servers have the same TZ, but not the same time, so in this case splunk should use the server's TZ.

I reckon that the problem is other but I will try setting this option in props.conf.

Thanks.

Reply

lguinn2
Legend
‎11-28-2012 05:40 PM

Splunk may be trying to consider the timezone of each server. This might be found in the event - or it could be set in props.conf for cloud server.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...