System Time in Splunk off but log times are correc...

courtneyj · ‎02-12-2021

Here is my environment

Cluster Master, License Master, Deployment Server (on one Splunk instance)

Cluster of 3 indexes

Separate Search Head

Noticed when I checked the Forwarder Manager in my deployment server my clients had not phoned home in 8 hours. Then I ran

index = _internal httppubsubconnection "uri=/services/broker/phonehome"

to see if there were any errors phoning home but to my surprise everything was good. In Forwarder Management I also deleted a record and it came right back which also confirmed a successful phone home but it said 8 hours ago. Ran other searches and the event time and log times are good. Then I noticed in my search history that the previous search I conducted was done 8 hours ago even though I just ran them. Played with time zone in user preference but nothing. Any suggestions on why everything in Splunk is 8 hours behind when it comes to phoning home and when a search was conducted.

manjunathmeti · ‎02-13-2021

Check the server/system date time on the instance where Deployment Server is deployed. Make sure it is matching with the server time of the machine where deployment clients exist.

If this reply helps you, an upvote/like would be appreciated.

System Time in Splunk off but log times are correct

time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation