Skip to main content


Splunk Lantern

MiFID II time drift


The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to check for hosts with a large time drift. For more information, review the use case complying with the Markets in Financial Instruments Directive II.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.  In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
| lookup <NTP data by host> Search only your SNTP data from the file you uploaded.
| sort - date Sort the results from oldest to newest.
|where drift<-0.1 OR drift>+0.1

Return results where the host time drift is outside an acceptable range. 

In production, use milliseconds for thresholds. Some banks may rely on atomic clocks for precision.