Is there a way to validate the time of the current splunk servers? Let me explain, during these days there will be a time change so the servers should update their time automatically, but I have seen over time that not all servers are correctly patched, for example a universal forwarder sends certain data and the sourcetype was configured like current_time, this would cause events to arrive either late or early.
Currently I have this query to validate the time of the servers but I do not know if it is correct.
| metadata type = hosts index = _internal | search host = splunk * | eval recent_time = Now () - recentTime | eval r_time = strftime (recentTime, "% m /% d /% and% H:% M:% S") | table host r_time
I haven’t had splunk in my hands now to check this, but I suppose that metadata recentTime is splunk server time not the UF time? If you want to check UF’s time then just look event’s _time from _internal and use also %z to see that time zone is correct and time conversion has done right. r. Ismo