Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

On which Splunk Enterprise servers FixDatetimexml2020 patch needs to be applied?

pbadhe_2
Engager
‎11-25-2019 08:33 PM

Hi,

Query regarding Patch for "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" post.

On 25th Nov 2019, the post "https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020" is asking to patch all Splunk instances instead of "Splunk Cloud, Splunk Enterprise indexer, Splunk Enterprise heavy forwarder, and Splunk Light instances" a day before.

Does this mean that on Splunk enterprise Clustered setup, this file must be patched on Cluster master, SH deployer, License Master, Indexers, Search-heads and all heavy & universal forwarder instances?
OR
just indexers & heavy forwarder instances?

Also, on Splunk Enterprise All-in-one setups, this file must be patched. Correct?

Please clarify.

Thanks in advance,
Prashant Badhe

Tags (1)
0 Karma
Reply

niketn
Legend
‎11-26-2019 09:09 PM

The Docs keep on getting updated with the latest details. Refer to the Impact section for details:

https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Impact

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

splnsuman
Explorer
‎12-01-2019 05:01 PM

Also our team has tested various date formats and that get impacted after 2020 Jan. The utcepoch time only gets impacted after Sep 23. 2020 but it's better to fix all before Jan 1, 2020.

Here is the link :
https://www.bitsioinc.com/general/splunk-datetime-xml-year

Bringing ROI and Customer Success obsessed for your Splunk Investments.
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎11-26-2019 03:02 AM

You have to patch every instance that parses data that could contain such timestamps with two digit years or epoch format.

This definitely includes all indexers and HF. If you can be 100% sure that you will never ingest such logs on your SH, CM, DS, etc... you may be able to ignore them, but as some Linux logs on those boxes might be ingested now or in the future, I'd advise to patch them too. Maybe you can use the opportunity to update Splunk, too.

Be aware that you might even have to patch the UFs, if you use features like INDEXED_EXTRACTIONS or force_local_processing. An example of such a built-in sourcetype that would be affected is CSV.

Reply

jp6jp620104
Observer
‎12-01-2019 07:06 PM

If HF only use to receive and forward data to Indexer, HF can be to ignore?

0 Karma
Reply

niketn
Legend
‎11-25-2019 10:03 PM

@pbadhe_2 since this is related to timestamp recognition, I would say any instance that can index. Sometimes SHs can also index data which is forwarded to IDX cluster.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

mayurr98
Super Champion
‎11-28-2019 06:55 AM

On which Splunk version instances we need to apply this patch? is it only for 8.0?

0 Karma
Reply

MuS
Legend
‎12-01-2019 05:39 PM

Hi mayurr98,

see the docs https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Upgrade_Splunk_p... to get a table of the Splunk versions.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top