Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

servers time validation

efaundez
Path Finder

good morning

Is there a way to validate the time of the current splunk servers? Let me explain, during these days there will be a time change so the servers should update their time automatically, but I have seen over time that not all servers are correctly patched, for example a universal forwarder sends certain data and the sourcetype was configured like current_time, this would cause events to arrive either late or early.

Currently I have this query to validate the time of the servers but I do not know if it is correct.

| metadata type = hosts index = _internal
| search host = splunk *
| eval recent_time = Now () - recentTime
| eval r_time = strftime (recentTime, "% m /% d /% and% H:% M:% S")
| table host r_time

Any information is appreciated

Regards

Labels (3)
0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

I haven’t had splunk in my hands now to check this, but I suppose that metadata recentTime is splunk server time not the UF time? If you want to check UF’s time then just look event’s _time from _internal and use also %z to see that time zone is correct and time conversion has done right.
r. Ismo

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!