Getting Data In

On which Splunk Enterprise servers FixDatetimexml2020 patch needs to be applied?

pbadhe_2
Engager

Hi,

Query regarding Patch for "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" post.

On 25th Nov 2019, the post "https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020" is asking to patch all Splunk instances instead of "Splunk Cloud, Splunk Enterprise indexer, Splunk Enterprise heavy forwarder, and Splunk Light instances" a day before.

Does this mean that on Splunk enterprise Clustered setup, this file must be patched on Cluster master, SH deployer, License Master, Indexers, Search-heads and all heavy & universal forwarder instances?
OR
just indexers & heavy forwarder instances?

Also, on Splunk Enterprise All-in-one setups, this file must be patched. Correct?

Please clarify.

Thanks in advance,
Prashant Badhe

Tags (1)
0 Karma

niketn
Legend

The Docs keep on getting updated with the latest details. Refer to the Impact section for details:

https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Impact

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

splnsuman
Explorer

Also our team has tested various date formats and that get impacted after 2020 Jan. The utcepoch time only gets impacted after Sep 23. 2020 but it's better to fix all before Jan 1, 2020.

Here is the link :
https://www.bitsioinc.com/general/splunk-datetime-xml-year

Bringing ROI and Customer Success obsessed for your Splunk Investments.
0 Karma

xpac
SplunkTrust
SplunkTrust

You have to patch every instance that parses data that could contain such timestamps with two digit years or epoch format.

This definitely includes all indexers and HF. If you can be 100% sure that you will never ingest such logs on your SH, CM, DS, etc... you may be able to ignore them, but as some Linux logs on those boxes might be ingested now or in the future, I'd advise to patch them too. Maybe you can use the opportunity to update Splunk, too.

Be aware that you might even have to patch the UFs, if you use features like INDEXED_EXTRACTIONS or force_local_processing. An example of such a built-in sourcetype that would be affected is CSV.

jp6jp620104
Observer

If HF only use to receive and forward data to Indexer, HF can be to ignore?

0 Karma

niketn
Legend

@pbadhe_2 since this is related to timestamp recognition, I would say any instance that can index. Sometimes SHs can also index data which is forwarded to IDX cluster.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mayurr98
Super Champion

On which Splunk version instances we need to apply this patch? is it only for 8.0?

0 Karma

MuS
Legend

Hi mayurr98,

see the docs https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Upgrade_Splunk_p... to get a table of the Splunk versions.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...