Skip to main content


Splunk Lantern

MiFID II time drift

You might need to check for hosts with a large time drift when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


The MiFID II best execution principle states that firms must "take all sufficient steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order." Hosts that have a large time drift may effect best execution. You need to monitor for time drift.

To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source. 

  1. Use a script to contact an NTP server on a host every N minutes and capture the results to a file.  A script such as echo `sntp time_server` `hostname` may be enough.
  2. Run the following search:
    |lookup <NTP data by host>
    |sort - date
    |where drift<-0.1 OR drift>+0.1

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| lookup <NTP data by host> Search only your SNTP data from the file you uploaded.
| sort - date Sort the results from oldest to newest.
|where drift<-0.1 OR drift>+0.1

Return results where the host time drift is outside an acceptable range. 

In production, use milliseconds for thresholds. Some banks may rely on atomic clocks for precision.


If the time drift in the log entry is above a tolerance, the host should be fixed as trades may be impacted. You might also want to understand how time drift has impacted buy and sell orders.