Re: how does time synchronization work between for...

gnanaraj_mcc · ‎05-22-2017

Hi
we have hosts sending logs to indexer using universal forwarders. The hosts are spread across different time zones.
i want to know how the indexer Synchronize different time zones into one. Can you refer any document or something?

thank you

woodcock · ‎05-22-2017

The Indexers work by doing whatever you tell them to do. If you tell them nothing about timezones, then each indexer will assume that any event with a date missing a timezone is using the same timezone as that Indexer's host OS and that event will be assigned a value of local for date_zone. This is TERRIBLE rookie admin, though; I do not allow events with date_zone = local to exist on any of my Indexers. Each event should EITHER have the TZ value inside of each event's timestamp OR each host+sourcetype combination should have a TZ=foo/bar in a props.conf on every Indexer. That is the way to do it or you are going to have broken (mis-normalized) times inside of Splunk events (all over the place).

woodcock · ‎05-23-2017

In other words, there is no synchronization, there is a normalization to UTC in the form of time_t AKA epoch.

sloshburch · ‎05-23-2017

@woodcock strikes again! FTW!

gcusello · ‎05-22-2017

Hi
Have you already seen the foillowing answer?
https://answers.splunk.com/answers/52235/if-multiple-hosts-in-different-time-zones-are-sending-logs-...

Every way the documentation is at https://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Applytimezoneoffsetstotimestamps

Bye.
Giuseppe

how does time synchronization work between forwarder and indexer?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!