Getting Data In

On which Splunk Enterprise servers FixDatetimexml2020 patch needs to be applied?

pbadhe_2
Engager

Hi,

Query regarding Patch for "Timestamp recognition of dates with two-digit years fails beginning January 1, 2020" post.

On 25th Nov 2019, the post "https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020" is asking to patch all Splunk instances instead of "Splunk Cloud, Splunk Enterprise indexer, Splunk Enterprise heavy forwarder, and Splunk Light instances" a day before.

Does this mean that on Splunk enterprise Clustered setup, this file must be patched on Cluster master, SH deployer, License Master, Indexers, Search-heads and all heavy & universal forwarder instances?
OR
just indexers & heavy forwarder instances?

Also, on Splunk Enterprise All-in-one setups, this file must be patched. Correct?

Please clarify.

Thanks in advance,
Prashant Badhe

Tags (1)
0 Karma

niketn
Legend

The Docs keep on getting updated with the latest details. Refer to the Impact section for details:

https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Impact

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

splnsuman
SplunkTrust
SplunkTrust

Also our team has tested various date formats and that get impacted after 2020 Jan. The utcepoch time only gets impacted after Sep 23. 2020 but it's better to fix all before Jan 1, 2020.

Here is the link :
https://www.bitsioinc.com/general/splunk-datetime-xml-year

Bringing ROI and Customer Success obsessed for your Splunk Investments.
0 Karma

xpac
SplunkTrust
SplunkTrust

You have to patch every instance that parses data that could contain such timestamps with two digit years or epoch format.

This definitely includes all indexers and HF. If you can be 100% sure that you will never ingest such logs on your SH, CM, DS, etc... you may be able to ignore them, but as some Linux logs on those boxes might be ingested now or in the future, I'd advise to patch them too. Maybe you can use the opportunity to update Splunk, too.

Be aware that you might even have to patch the UFs, if you use features like INDEXED_EXTRACTIONS or force_local_processing. An example of such a built-in sourcetype that would be affected is CSV.

jp6jp620104
Observer

If HF only use to receive and forward data to Indexer, HF can be to ignore?

0 Karma

niketn
Legend

@pbadhe_2 since this is related to timestamp recognition, I would say any instance that can index. Sometimes SHs can also index data which is forwarded to IDX cluster.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mayurr98
Super Champion

On which Splunk version instances we need to apply this patch? is it only for 8.0?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi mayurr98,

see the docs https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Upgrade_Splunk_p... to get a table of the Splunk versions.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...