Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

datetime.xml 2020

riqbal47010
Path Finder
‎12-23-2019 10:55 PM

I am implemented the datetime.xml issue. Now according to article
https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020
I want to validate the change.

I create test.csv file as metioned in above link. now how can I upload and validate in my distributed environment.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-23-2019 11:07 PM

@riqbal47010

have you check this?

https://www.youtube.com/watch?v=tIcRvw2zx34

Check step 5 in https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Validate_timestam...

Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.

$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-23-2019 11:07 PM

@riqbal47010

have you check this?

https://www.youtube.com/watch?v=tIcRvw2zx34

Check step 5 in https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Validate_timestam...

Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.

$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎12-23-2019 11:57 PM

I gone through all the steps but I have distributed environment.
below are performed steps.

following step#3
On Heavy forwarder I create props.conf file under $SPLUNK_HOME/etc/system/local
[default]
MAX_DAYS_HENCE = 40

after that I add file through step#5

but results are not as expected.

the events time is the time when I am uploading the events.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-24-2019 02:49 AM

Did you executed step 4??

Just for troubleshooting, is it possible to keep local copy in the HF and execute step 5 again. And just check data on HF only.

I found steps For distributed environment please check below link.

https://blog.zivaro.com/splunk-product-timestamp-issue-solution

0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎12-25-2019 05:06 AM

hi kamlesh,

thanks fory your kind support.

I check the video link and found that to see the future date I have to select all times

thanks for your support

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...