I am gathering perfmon data from two windows servers but Splunk 5.0 no correctly recognize the timestamp in one of them.
[perfmon://LocalPhysicalDisk]
counters = % Free Space;Free Megabytes
interval = 60
object = LogicalDisk
disabled = 0
Wrong timestamp data is generated on a cloud server with a different time that our network although we are both using the default Microsoft ntp server.
Splunk Timestamp Data Timestamp
11/22/12 9:53:49.765 PM 11/22/2012 21:53:49.765 (local sever)
11/22/12 10:05:38.000 PM 11/22/2012 22:06:21.062 (cloud server)
Why Splunk doesn’t simply use the timestamp of the data?
Thanks!!
I am using the default value /etc/datetime.xml to recognise the timestamp in data
Do you have DATETIME_CONFIG = CURRENT in your props.conf?
Hello Borja
You should set up correctly the time configuration from windows time to syncronize with a central time server
Reagrds
All the servers have the same TZ, but not the same time, so in this case splunk should use the server's TZ.
I reckon that the problem is other but I will try setting this option in props.conf.
Thanks.
Splunk may be trying to consider the timezone of each server. This might be found in the event - or it could be set in props.conf for cloud server.