Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I determine if hosts are in the wrong timez...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a very important question, as normalization of time is essential so you can have an accurate picture of what actually happened at a certain point in time.
(If you have a datasource in Central time, but your indexer is in Eastern and wasn't told otherwise, it will index the data as Eastern and events will show in Splunk as an hour behind other events that happened that minute!)
One method is to try running this search. Run it over a period that would capture at least one event from each host, such as a day. It compares _time (the epoch time version of the time extracted from the event, adjusted with any timezone in the event or in props.conf) to _indextime (the epoch time version of when Splunk indexed the event). If your data is all current, these should be only seconds off if a datasource is properly configured.
* | dedup host | eval timediff=(_time-_indextime) | eval HoursOff=round(timediff/3600) | search NOT HoursOff=0 | rename _indextime as IndexTime | eval Time=_time | table Time, IndexTime, HoursOff, host
Remember this checks Index Time against Time extracted from the event. It assumes the most recent event from each host is coming in at current time, and isn't archive data.
I'm going to get this into an App, along with a script to add the timezone into the source field for troublesome linux servers. At some point.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a very important question, as normalization of time is essential so you can have an accurate picture of what actually happened at a certain point in time.
(If you have a datasource in Central time, but your indexer is in Eastern and wasn't told otherwise, it will index the data as Eastern and events will show in Splunk as an hour behind other events that happened that minute!)
One method is to try running this search. Run it over a period that would capture at least one event from each host, such as a day. It compares _time (the epoch time version of the time extracted from the event, adjusted with any timezone in the event or in props.conf) to _indextime (the epoch time version of when Splunk indexed the event). If your data is all current, these should be only seconds off if a datasource is properly configured.
* | dedup host | eval timediff=(_time-_indextime) | eval HoursOff=round(timediff/3600) | search NOT HoursOff=0 | rename _indextime as IndexTime | eval Time=_time | table Time, IndexTime, HoursOff, host
Remember this checks Index Time against Time extracted from the event. It assumes the most recent event from each host is coming in at current time, and isn't archive data.
I'm going to get this into an App, along with a script to add the timezone into the source field for troublesome linux servers. At some point.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
