Getting Data In

How can we verify the patch that has been provided for the date time issue before 1/1/2020?

capesb
Engager

we were notified there is an issue with the recognition of 2 digit years in the Splunk code that requires an immediate patch. We need to know how to verify this patch is applied properly and going to be working properly come 1/1/2020
Link to issue: https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#More_information

woodcock
Esteemed Legend

You can use this search to find potentially problematic events. DISClAIMER: This is NOT a guarantee because we have no way to tell with SPL whether Indexers are using datetime.xml or proper Magic 6 settings. It will show you events that IF the indexers are using datetime.xml, will be broken without the fix.

index="*" AND sourcetype="*" AND timestartpos="*" earliest=-7d latest=now
| dedup punct sourcetype index
| eval timestr=substr(_raw, timestartpos+1, timeendpos-timestartpos)
| regex timestr="(((?:^|\D)\d{1,2}[-\/]\d{1,2}[-\/]19[^\d])|((?:^|\D)19[-\/]\d{1,2}[-\/]\d{1,2}[^\d])|((?:^|\D)\d{1,2}\s[-\/]\s\d{1,2}\s[-\/]\s19[^\d])|((?:^|\D)19\s[-\/]\s\d{1,2}\s[-\/]\s\d{1,2}[^\d])|((?:^|\D)([a-zA-Z]{3}[- \/]+\d{1,2}[- \/]+19[^:\d]))|((?:^|\D)19[- \/][a-zA-Z]{3}[- \/]\d{1,2}[^:\d])|((?:^|\D)\d{1,2}[- \/]+[a-zA-Z]{3}[- \/]+19[^:\d]))"
| table punct sourcetype index timestr time*pos _time _raw time*
| stats list(*) AS * BY index sourcetype

If this search returns nothing, then you have nothing to fix. Do note that this search will return the same results BEFORE and AFTER you deploy the fix. It only shows your potential risk, not your actual.

0 Karma

capesb
Engager

thanks Rich and David, appreciate the feedback

0 Karma

DavidHourani
Super Champion

@woodcock loop answer, can't go wrong there 😛

0 Karma

woodcock
Esteemed Legend

Just keep clicking.

DavidHourani
Super Champion

lol almost there 😛

0 Karma

woodcock
Esteemed Legend

Keep going!!!

0 Karma

DavidHourani
Super Champion

587 link clicks and still nothing...

0 Karma

jordanking1992
Path Finder

Is there a query that can search the _raw events for sources that are using 2 digit years?

0 Karma

DavidHourani
Super Champion

Hi @capesb,

To confirm that the change has been made you need to be sure that your datetime.xml file matches the one in https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#More_information
And that you've restarted your Splunk instances after modification. As mentioned here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_an_updat...

OR that you are one of the bug free versions specified here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Upgrade_Splunk_pl...

On this blog you can find what exactly changed in the datetime.xml :
https://www.bleepingcomputer.com/news/security/splunk-faces-y2k-bug-like-problem-unless-patched/

Let me know if that helps.

Cheers,
David

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To test the fix, try ingesting a file that contains the two-digit year "20". Use a test index, of course. You'll also need to set MAX_DAYS_HENCE in props.conf to a value that includes the date in the file (at least 30).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...