Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help with time synchronization , time stamp events by the hosts. Reporting event in the past or future. Thank a lot

SamHTexas
Builder
‎10-05-2021 06:28 PM

I use the below SPL to find how hosts are logging in my environment and how far off the timestamp of the last event sent by each host is from the current time.

| eval time_zone_diff = Now() - lastTime

| eval recent_time = Now() - recentTime

| sort time_diff

The results are hard to read. Instead of reporting which hosts, it just shows so many are late & so many are ahead & no host is listed. Would you help with an SPL, not Meta Woot! App (could not configure it properly) to list which hosts are late & which are reporting event in the future please. Thanks a million in advance.

Labels (2)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 01:02 AM

It's not that easy, unfortunately. One thing is that you can find the difference between _time and _indextime For example, by doing:

| tstats latest(_time) as etime latest(_indextime) as itime where index=* by source index host
| eval timediff=itime-etime 
| fieldformat timediff=tostring(timediff,"duration")
| table host index source timediff

But it will show you only how much time passed between the time "in" the event (which might be parsed out of the event, supplied by forwarder, or even explicitly set by source in case of - for example - HEC inputs) and the time at which the event was indexed. It's not a general indication of a time drift between your infrastructure components.

There might be, for example, some sources for which you get data in batches (like reading whole logfiles supplied daily for the whole "yesterday" containing events from throughout the day or WEC subscriptions which update Forwarded Logs at predefined intervals).

So the subject of keeping your time synchronized across your whole infrastructure is not up to splunk and is not really monitorable by splunk as such. It's the other way around - the splunk infrastructure relies on time being set up consistently across all your devices.

Comparing _time and _indextime can however help with finding sources which have problems with timezone definitions.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...