Query regarding Patch for "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" post.
On 25th Nov 2019, the post "https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020" is asking to patch all Splunk instances instead of "Splunk Cloud, Splunk Enterprise indexer, Splunk Enterprise heavy forwarder, and Splunk Light instances" a day before.
Does this mean that on Splunk enterprise Clustered setup, this file must be patched on Cluster master, SH deployer, License Master, Indexers, Search-heads and all heavy & universal forwarder instances?
just indexers & heavy forwarder instances?
Also, on Splunk Enterprise All-in-one setups, this file must be patched. Correct?
Thanks in advance,
The Docs keep on getting updated with the latest details. Refer to the
Impact section for details:
Also our team has tested various date formats and that get impacted after 2020 Jan. The utcepoch time only gets impacted after Sep 23. 2020 but it's better to fix all before Jan 1, 2020.
Here is the link :
You have to patch every instance that parses data that could contain such timestamps with two digit years or epoch format.
This definitely includes all indexers and HF. If you can be 100% sure that you will never ingest such logs on your SH, CM, DS, etc... you may be able to ignore them, but as some Linux logs on those boxes might be ingested now or in the future, I'd advise to patch them too. Maybe you can use the opportunity to update Splunk, too.
Be aware that you might even have to patch the UFs, if you use features like INDEXED_EXTRACTIONS or force_local_processing. An example of such a built-in sourcetype that would be affected is CSV.
@pbadhe_2 since this is related to timestamp recognition, I would say any instance that can index. Sometimes SHs can also index data which is forwarded to IDX cluster.