Solved: How to configure props.conf to set the universal f...

arkadyz1 · ‎05-25-2016

I'm trying to solve the following problem: in our client's environment, the clocks on different servers can vary greatly. We can easily have a server which is 3 hours behind on its system clock. And it's not a timezone issue - the servers are all supposed to have the same time.

All servers have univeral forwarders sending events to some Splunk Enterprise instances. We want each event to have the time of its import by the universal forwarder as a timestamp. Will setting DATETIME_CONFIG=CURRENT on the forwarder and DATETIME_CONFIG=NONE on the indexer produce the desired result?

arkadyz1 · ‎06-07-2016

OK, first of all to answer the questions about "why not synchronize the clocks" etc. - it is an environment which is out of our control, so instead of trying to fix the problem, we are trying to capture the symptom to be able to report it to our customer.

Second, those settings I suggested, applied to the whole sourcetype (you cannot apply more granularity and go by the source, for example), produced the desired result.

Thanks for all the replies!

View solution in original post

hlarimer · ‎09-24-2016

We actually alert every day on this very thing...when timestamps are incorrect. What I recommend doing is using a search that tells you when timestamps are off and it will allow you to keep up on this. I find existing or new systems with incorrect timestamps on a regular basis (new sites, system rebuilds, etc) but now that we keep up on them its much easier to manage. Here is the search I use for the alert:

| metadata type=hosts index=*  | eval diff=recentTime-lastTime | where diff > 1800 OR diff < -1800 | convert ctime(lastTime) AS last_log_date |  table host diff last_log_date

This search looks for the difference between the recentTime and the lastTime which is the difference of when the log came in versus what it was timestamped. There will always be some difference based on lag so I only alert if its off by 1800 seconds or more. The negative 1800 is important too since it captures timestamps that are set in the future.

arkadyz1 · ‎06-07-2016

OK, first of all to answer the questions about "why not synchronize the clocks" etc. - it is an environment which is out of our control, so instead of trying to fix the problem, we are trying to capture the symptom to be able to report it to our customer.

Second, those settings I suggested, applied to the whole sourcetype (you cannot apply more granularity and go by the source, for example), produced the desired result.

Thanks for all the replies!

kristian_kolb · ‎05-25-2016

Unless you are batching in your logs somehow to the UF, or have SEVERE file monitor lag on your UF's, the event timestamp (as written by some application) and the UF "read-timestamp" should be fairly close to each other. Within seconds - easily - for most normal situations.

The UF program does not maintain its own clock, it uses system time anyway. So if the UF is reading the logs in a timely manner, you would not gain anything.

It looks like you are trying to fix the symptom, rather than the problem, as woodcock suggests.

woodcock · ‎05-25-2016

No, you will have to use Heavy Forwarders and use DATETIME_CONFIG=CURRENT there and nothing else on the indexers. IMHO, this is a terrible idea and the effort ahould be spent on NTP.

somesoni2 · ‎05-25-2016

Should the forwarders have same time set on clock as indexer?? If yes, then set the DATETIME_CONFIG=CURRENT on props.conf, under sourcetype/source/host stanza to set all event timestamp to current time on Indexer.

How to configure props.conf to set the universal forwarder's server time as the event timestamp?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!