Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to verify that new datetime.xml patch was applied to all my instances?

asherer_splunk
Splunk Employee
Splunk Employee
‎12-10-2019 09:49 AM

I've seen the notes about the patch that needs to be applied for the two-digit years in timestamps:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020

How do I do a quick-spot check of all my forwarders and full instances to make sure that datetime.xml has been patched?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

asherer_splunk
Splunk Employee
Splunk Employee
‎12-10-2019 09:57 AM

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

View solution in original post

Reply
Solved! Jump to solution
Solution

asherer_splunk
Splunk Employee
Splunk Employee
‎12-10-2019 09:57 AM

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

Reply
Solved! Jump to solution

arun_kant_sharm
Path Finder
‎12-26-2019 12:49 AM

Hi Asherer,

In your answer you check the datetime.xml check-sum (i.e sha256sum) in three locations

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

is this location same for Deployment server, Search Head server, Indexer server and Universal forwarder server???

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...