You might want to know what aggregate trade amounts were impacted on a time-drifted host when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Hosts that have a large time drift may have business impact on buy and sell orders. You want to see any impacted transactions by listing out the volume and monetary amount that was recorded on that host at the time of intolerable time drifting.
To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source.
- Use a script to contact an NTP server on a host every N minutes and capture the results to a file. A script such as echo `sntp time_server` `hostname` may be enough.
- Run the following search:
|lookup <NTP data by host>
|sort - date
|where drift<-0.1 OR drift>+0.1
|lookup <transaction data lookup file> host, date
|table date, host, drift, amount, volume
|eval amount=tostring(round(amount, 2),"commas")
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||lookup <NTP data by host>||Search only your SNTP data from the file you uploaded.|
|| sort - date||Sort the results from oldest to newest.|
||where drift<-0.1 OR drift>+0.1||
Return results where the host time drift is outside an acceptable range.
In production, use milliseconds for thresholds. Some banks may rely on atomic clocks for precision.
||lookup <transaction data lookup file> host, date||
Return transaction data.
You may have a business service data source that pulls this information into your Splunk deployment.
||table date, host, drift, amount, volume||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Convert the results to a readable string that is rounded to 2 decimal places and uses a comma.|
Correlate the total volume of trades and monetary amount that was involved for buy or sell orders with hosts experiencing intolerable time drifts. Use this information for your KPIs.