Re: System Time in Splunk off but log times are co...

courtneyj · ‎02-12-2021

Here is my environment

Cluster Master, License Master, Deployment Server (on one Splunk instance)

Cluster of 3 indexes

Separate Search Head

Noticed when I checked the Forwarder Manager in my deployment server my clients had not phoned home in 8 hours. Then I ran

index = _internal httppubsubconnection "uri=/services/broker/phonehome"

to see if there were any errors phoning home but to my surprise everything was good. In Forwarder Management I also deleted a record and it came right back which also confirmed a successful phone home but it said 8 hours ago. Ran other searches and the event time and log times are good. Then I noticed in my search history that the previous search I conducted was done 8 hours ago even though I just ran them. Played with time zone in user preference but nothing. Any suggestions on why everything in Splunk is 8 hours behind when it comes to phoning home and when a search was conducted.

manjunathmeti · ‎02-13-2021

Check the server/system date time on the instance where Deployment Server is deployed. Make sure it is matching with the server time of the machine where deployment clients exist.

If this reply helps you, an upvote/like would be appreciated.

System Time in Splunk off but log times are correct

time

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023