we were notified there is an issue with the recognition of 2 digit years in the Splunk code that requires an immediate patch. We need to know how to verify this patch is applied properly and going to be working properly come 1/1/2020
Link to issue: https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#More_information
You can use this search to find potentially problematic events. DISClAIMER: This is NOT a guarantee because we have no way to tell with SPL whether Indexers are using datetime.xml
or proper Magic 6
settings. It will show you events that IF the indexers are using datetime.xml
, will be broken without the fix.
index="*" AND sourcetype="*" AND timestartpos="*" earliest=-7d latest=now
| dedup punct sourcetype index
| eval timestr=substr(_raw, timestartpos+1, timeendpos-timestartpos)
| regex timestr="(((?:^|\D)\d{1,2}[-\/]\d{1,2}[-\/]19[^\d])|((?:^|\D)19[-\/]\d{1,2}[-\/]\d{1,2}[^\d])|((?:^|\D)\d{1,2}\s[-\/]\s\d{1,2}\s[-\/]\s19[^\d])|((?:^|\D)19\s[-\/]\s\d{1,2}\s[-\/]\s\d{1,2}[^\d])|((?:^|\D)([a-zA-Z]{3}[- \/]+\d{1,2}[- \/]+19[^:\d]))|((?:^|\D)19[- \/][a-zA-Z]{3}[- \/]\d{1,2}[^:\d])|((?:^|\D)\d{1,2}[- \/]+[a-zA-Z]{3}[- \/]+19[^:\d]))"
| table punct sourcetype index timestr time*pos _time _raw time*
| stats list(*) AS * BY index sourcetype
If this search returns nothing, then you have nothing to fix. Do note that this search will return the same results BEFORE and AFTER you deploy the fix. It only shows your potential risk, not your actual.
thanks Rich and David, appreciate the feedback
@woodcock loop answer, can't go wrong there 😛
Just keep clicking.
lol almost there 😛
Keep going!!!
587 link clicks and still nothing...
Is there a query that can search the _raw events for sources that are using 2 digit years?
Hi @capesb,
To confirm that the change has been made you need to be sure that your datetime.xml file matches the one in https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#More_information
And that you've restarted your Splunk instances after modification. As mentioned here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_an_updat...
OR that you are one of the bug free versions specified here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Upgrade_Splunk_pl...
On this blog you can find what exactly changed in the datetime.xml :
https://www.bleepingcomputer.com/news/security/splunk-faces-y2k-bug-like-problem-unless-patched/
Let me know if that helps.
Cheers,
David
To test the fix, try ingesting a file that contains the two-digit year "20". Use a test index, of course. You'll also need to set MAX_DAYS_HENCE in props.conf to a value that includes the date in the file (at least 30).