I'm trying to solve the following problem: in our client's environment, the clocks on different servers can vary greatly. We can easily have a server which is 3 hours behind on its system clock. And it's not a timezone issue - the servers are all supposed to have the same time.
All servers have univeral forwarders sending events to some Splunk Enterprise instances. We want each event to have the time of its import by the universal forwarder as a timestamp. Will setting `DATETIME_CONFIG=CURRENT` on the forwarder and `DATETIME_CONFIG=NONE` on the indexer produce the desired result?
↧