Dashboards & Visualizations

How to verify that new datetime.xml patch was applied to all my instances?

asherer_splunk
Splunk Employee
Splunk Employee

I've seen the notes about the patch that needs to be applied for the two-digit years in timestamps:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020

How do I do a quick-spot check of all my forwarders and full instances to make sure that datetime.xml has been patched?

Tags (1)
1 Solution

asherer_splunk
Splunk Employee
Splunk Employee

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

View solution in original post

asherer_splunk
Splunk Employee
Splunk Employee

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

arun_kant_sharm
Path Finder

Hi Asherer,

In your answer you check the datetime.xml check-sum (i.e sha256sum) in three locations

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

is this location same for Deployment server, Search Head server, Indexer server and Universal forwarder server???

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...