Archive

Splunk - TimeStamp Recognition Update

pratapa
Explorer

Hi,

We have got the following requirement.

We have identified a time-sensitive issue that affects all current versions of Splunk Enterprise, Splunk Light and Splunk Cloud. This issue has potential significant impact on data ingestion - including causing inaccurate, unsearchable, or prematurely-deleted data - starting January 1, 2020, when timestamps using two-digit years will stop being correctly recognized. Full details around this issue, including workarounds and product fixes, are documented in the Release Notes for each Splunk Version.

Fix & Workarounds Available

Splunk Cloud instances will be automatically upgraded prior to January 1, 2020. A support representative will advise you when the upgrade will take place. All Splunk Enterprise and Splunk Light customers, and any Splunk Cloud customers must apply one of the following changes to their Splunk Instance/s prior to January 1, 2020 to avoid the issue:

  1.   Download an updated version of datetime.xml and apply it to each of your Splunk platform instances
    
  2.   Download and deploy an app to temporarily replace the defective datetime.xml with the fixed one
    
  3.   Make modifications to existing datetime.xml on your Splunk platform instances
    
  4.   Upgrade Splunk platform instances to a version with an updated version of datetime.xml
    

Where from can we download the datetime.xml file.

What is the path where datatime.xml file resides in the server.

What is the path in the server where we can upload the downloaded datetime.xml file.

What modifications we need to do once we upload the datetime.xml file

How to upgrade Splunk platform instance to a version with an updated version of datetime.xml.

On which servers we need to upload the datetime.xml.
Splunk Forwarder
Splunk Indexer
Splunk License server.

Is a reboot of the server required after the upgrade or if we restart splunk services it is enough.

It would be great if you could provide the steps to perform the above activity.

Regards,
Pratapa.

Tags (1)
0 Karma

kartm2020
Communicator

Where from can we download the datetime.xml file.

Link :https://download.splunk.com/products/ingest2020/datetime.zip
You can use wget method for downloaind this XML File.

What is the path where datatime.xml file resides in the server.

/Opt/splunk/etc

What is the path in the server where we can upload the downloaded datetime.xml file.

I would like to recommend you to download the XML in /opt file path . Then you can move to /opt/splunk/etc. It will ask you to overwrite. Select Yes.

What modifications we need to do once we upload the datetime.xml file
You have to replace the existing datetime.xml file in /opt/splunk/etc

How to upgrade Splunk platform instance to a version with an updated version of datetime.xml.
No need upgrade the splunk platform instance. This changes is enough.

On which servers we need to upload the datetime.xml.
Splunk Forwarder
Splunk Indexer
Splunk License server.

On all the Splunk instance.

Is a reboot of the server required after the upgrade or if we restart splunk services it is enough.
Restarting the splunk service is more enough.

0 Karma

sandeepghi
New Member

How Can we do it in all the universal forwarders? I have already done this in indexer,deployments server/license master, heavy forwarders, search heads.

We have like 1000 hosts reporting to splunk, How Can I do this manually on all uf?

0 Karma

manjunathmeti
Influencer

You can find answers here for all your questions here: https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020

0 Karma

jibin1988
Path Finder

In the above doc. It is mentioned that need to restart splunk platform.

Question is shall we restart the service or restart the server?

0 Karma

manjunathmeti
Influencer

It is restart splunk service. No system/server reboot is required.

0 Karma