Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Anyone know if its possible to pull back the time from all the Splunk infrastructure?

andynewsoncap
Engager
‎09-29-2022 06:35 AM

Hello,

Anyone know if its possible to pull back the time from all the Splunk infrastructure.  I have over 200 IDX / SHD / DEP etc etc server.  In 4 Regions around the world.  And I think my NTP is failing / drifting.  And I what to show my IT Dept the problem if we have one.

So is it possible to ask, all the Splunk infrastructure the time.  So I can see / show at a glance oh that IDX server is 5 mins out from its cluster buddy's?

Thanks.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-14-2022 01:29 PM

Typically you'd use an external infrastructure monitoring solution (like Nagios/Zabbix/whatever) to check the difference between host's time and a known reliable time source.

The idea of monitoring time is always tricky. Especially with splunk where everything is time related and you can't trust the server's time to... monitor the server's time 🙂

So you either have to check the server's reported time and verify it with an external reliable source (but you can't report it using simply timestamps on events since events have unknown delay; so you'd need another way to query them near real-time) or have the servers themselves query a reliable time source and report their findings along with their own timestamp. But tha boils down to querying a remote NTP which is what I understand is failing in your case.

0 Karma
Reply

russellliss
Path Finder
‎10-14-2022 01:09 PM

Hi @andynewsoncap

What about creating a custom app that executes:

Linux: date +%Y-%m-%d_%H:%M

Windows: Get-Date -format "yyyy-MM-dd_HH:mm"

and have your splunk components send the output to your indexers?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-29-2022 07:02 AM

Hi @andynewsoncap,

yes it's possible, but it isn't a configuration to do in Community, it requires the intervene of a Splunk Professional Service or al least a Splunk Architect with experience in multisite architectures.

with an infrastructure with your dimensions I hint to use Splunk PS!

ciao.

Giuseppe

0 Karma
Reply

andynewsoncap
Engager
‎09-29-2022 07:07 AM

I just smile at this point 🙂

0 Karma
Reply

andynewsoncap
Engager
‎09-30-2022 02:01 AM

Ok so what about asking is it possible to pull back the real time from one Splunk infrastructure component.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-30-2022 02:12 AM

Hi @andynewsoncap,

you could disable real time searches for your users, but it's a last solution.

I hint to try to set the correct timezone for the users, Splunk should manage different timezones.

I din't try with many Splunk servers, but with two Splunk Cloud Servers it correctly runs.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...