Dashboards & Visualizations

How to verify that new datetime.xml patch was applied to all my instances?

asherer_splunk
Splunk Employee
Splunk Employee

I've seen the notes about the patch that needs to be applied for the two-digit years in timestamps:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020

How do I do a quick-spot check of all my forwarders and full instances to make sure that datetime.xml has been patched?

Tags (1)
1 Solution

asherer_splunk
Splunk Employee
Splunk Employee

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

View solution in original post

asherer_splunk
Splunk Employee
Splunk Employee

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

View solution in original post

arun_kant_sharm
Path Finder

Hi Asherer,

In your answer you check the datetime.xml check-sum (i.e sha256sum) in three locations

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

is this location same for Deployment server, Search Head server, Indexer server and Universal forwarder server???

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!