Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reporting clients with the timestamp workaround (datetime.xml file) in place

oliverj
Communicator
‎12-03-2019 11:32 AM

Is there a way to check which hosts (universal forwarders or splunk enterprise) have the updated datetime.xml installed?
We have several different groups that send us logs from an internal network via a heavy forwarder, so I can see their splunkd logs, but there seems to be no record of the new file.
On the heavy installs, It reports properly.
On the universal forwarders, I was hoping that it would fail the file validation at startup and send the log to _internal, but even though "splunk.exe validate files" shows there is a change, nothing shows up in the splunkd log or at startup.

I am trying to generate a list of all hosts that do not have the file installed.

I realize that this timestamp issue may not affect certain log types, but we are not in a position to pick/choose which ones will work, so our strategy will be to apply the workaround to 100% of the instances.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

oliverj
Communicator
‎12-11-2019 06:08 AM

Per Splunk support, the universal forwarders do not generate a usable message in their logs, although the heavy/full versions do.
It is possible to build a script that you can install as an app that will to a checksum check, but we are not in a position to install apps across devices we do not own.
So, manual checks it is.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

oliverj
Communicator
‎12-11-2019 06:08 AM

Per Splunk support, the universal forwarders do not generate a usable message in their logs, although the heavy/full versions do.
It is possible to build a script that you can install as an app that will to a checksum check, but we are not in a position to install apps across devices we do not own.
So, manual checks it is.

0 Karma
Reply
Solved! Jump to solution

ycefalas
Loves-to-Learn Lots
‎12-06-2019 12:36 PM

Deployment server can produce a list of Splunk versions for UF/Splunk which can indicate that the endpoint being on a non patch UF.

0 Karma
Reply
Solved! Jump to solution

oliverj
Communicator
‎12-09-2019 09:06 AM

Yes, but in our case, we only updated the XML.
Software updates would be better, but the release turnaround in our environment is prohibitively slow for an emergency like this.

0 Karma
Reply
Solved! Jump to solution

oliverj
Communicator
‎12-05-2019 06:21 AM

Any suggestions here?
Having a hard time coming up with a verification method.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...