Getting Data In

servers time validation

Path Finder

good morning

Is there a way to validate the time of the current splunk servers? Let me explain, during these days there will be a time change so the servers should update their time automatically, but I have seen over time that not all servers are correctly patched, for example a universal forwarder sends certain data and the sourcetype was configured like current_time, this would cause events to arrive either late or early.

Currently I have this query to validate the time of the servers but I do not know if it is correct.

| metadata type = hosts index = _internal
| search host = splunk *
| eval recent_time = Now () - recentTime
| eval r_time = strftime (recentTime, "% m /% d /% and% H:% M:% S")
| table host r_time

Any information is appreciated


Labels (3)
0 Karma



I haven’t had splunk in my hands now to check this, but I suppose that metadata recentTime is splunk server time not the UF time? If you want to check UF’s time then just look event’s _time from _internal and use also %z to see that time zone is correct and time conversion has done right.
r. Ismo

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!