Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Universal Forwarder Local Clock

santosh_sshanbh
Path Finder
‎03-02-2020 12:29 AM

I have more than 100 UF deployed and wan to know the date and time of each of the forwarders to be shown in real time basis on a dashboards. How I can read the clock data of a UF on a real time basis?

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎03-02-2020 06:32 AM

Best practice is that all of your forwarders uses a synchronised time source, in many cases thats likely NTP or the Windows Time Service.

The problem with your question, is how would you trust what a UF thinks its time is vs what it really is.

You would be relying on the UF knowing two times - the real time, and its local time.
You could write a simple scripted input to query a known good time source like an ntp server, and write its result alongside your UF's local time into a logfile and configure your inputs.conf to collect both times so you could compare any drift (but you can expect a few ms difference between the two even on a perfectly synced system)

Then, there is your use of the dreaded phrase "real time". At the risk of running away on a tangent, take a look at this post for reasons why "real-time" in your use case is probably a bad idea.
https://answers.splunk.com/answers/734767/why-are-realtime-searches-disliked-in-the-splunk-w.html

If my comment helps, please give it a thumbs up!
0 Karma
Reply

santosh_sshanbh
Path Finder
‎03-02-2020 09:53 PM

Thanks for the inputs. QQ, can you share some thoughts on how to get the time of NTP server?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...