topic Re: /etc/datetime.xml priority timestamp patch / configuration file precedence in Getting Data In

/etc/datetime.xml priority timestamp patch / configuration file precedence

splunkreal — Mon, 11 Oct 2021 14:55:58 GMT

Hello,

regarding https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/FixDatetimexml2020 - in case we upgrade Splunk version does /etc/datetime.xml is still less priority than pushed patch app on shc/idxc/UFs ?

Looking at https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Wheretofindtheconfigurationfiles I may understand /etc is lowest priority?

How do you handle it if you keep V7 universal forwarders and upgrade servers to 8.2.2 version?

Thanks.

Re: /etc/datetime.xml priority timestamp patch / configuration file precedence

richgalloway — Mon, 11 Oct 2021 18:19:12 GMT

If you are running a version of Splunk with the patch then there is no need to update datetime.xml.

The /etc directory is not part of the configuration file precedence order. $SPLUNK_HOME/etc/system/default is the lowest-priority directory.

Just do it, but bear in mind the 7.x UFs will be unsupported soon.

Re: /etc/datetime.xml priority timestamp patch / configuration file precedence

splunkreal — Tue, 12 Oct 2021 07:07:31 GMT

Hi Rich,

Looks like datetime.xml in 8.2.2 is different than in patch.

V4 xml:
<define name="_utcepoch" extract="utcepoch, subsecond">

<text><![CDATA[((?<=^|[\s#,"=\(\[\|\{])(?:1[0123456]|9)\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])]]></text>
</define>

V5 xml:
<define name="_utcepoch" extract="utcepoch, subsecond">

<text><![CDATA[((?<=^|[\s#,"=\(\[\|\{])(?:1[012345678])\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])]]></text>
</define>

Re: /etc/datetime.xml priority timestamp patch / configuration file precedence

richgalloway — Tue, 12 Oct 2021 12:39:30 GMT

Use the newer one.

Re: /etc/datetime.xml priority timestamp patch / configuration file precedence

splunkreal — Wed, 13 Oct 2021 13:13:50 GMT

Support : "the new version of Splunk includes the new parameters, so the workaround are not longer needed if your indexers and HF are running Splunk 8.X, and as I told you before, only the Indexers and HF can do parsing, so that also means that the parameter is not needed in the Universal Forwarders."