Dashboards & Visualizations

How to verify that new datetime.xml patch was applied to all my instances?

asherer_splunk
Splunk Employee
Splunk Employee

I've seen the notes about the patch that needs to be applied for the two-digit years in timestamps:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020

How do I do a quick-spot check of all my forwarders and full instances to make sure that datetime.xml has been patched?

Tags (1)
1 Solution

asherer_splunk
Splunk Employee
Splunk Employee

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

View solution in original post

asherer_splunk
Splunk Employee
Splunk Employee

The sha256sum of the patched datetime.xml file is this:

[root@ip-10-202-22-128 all_date_patch_props]# sha256sum datetime.xml
e6016245a677bff48ea7ddbe8d4b36f9acbd02918e1f90ead812892692d655ea  datetime.xml

So I create a simple bash script (let's call it datetime_check.sh):

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

This checks the three main locations that it might be (assuming the default app names) and generates the sum.

Then, make an inputs.conf:

[script://$SPLUNK_HOME/etc/apps/search/bin/datetime_check.sh]
disabled = false
index = main
interval = 3600
source = datetime_check
sourcetype = datetime_check

Then you can simply search for all the sums and use stats to track deployment progress.

arun_kant_sharm
Path Finder

Hi Asherer,

In your answer you check the datetime.xml check-sum (i.e sha256sum) in three locations

sha256sum $SPLUNK_HOME/etc/datetime.xml
sha256sum $SPLUNK_HOME/etc/apps/all_date_patch_props/datetime.xml
sha256sum $SPLUNK_HOME/etc/slave_apps/idxc_date_patch_props/local/datetime.xml

is this location same for Deployment server, Search Head server, Indexer server and Universal forwarder server???

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...