We are getting notification of from splunk on time stamp recognition issue from jan 1 2010 it will be effecting the splunk in premise servers as splunk cloud will be taken care by splunk team.
So i perform below steps will it be fine?
1) Download the datetime.zip timestamp recognition ZIP file from splunk.com.
2) Unarchive the ZIP file to a location that is accessible from all of your Splunk platform instances.
On each Splunk platform instance, do the following:
Using your operating system file management utilities, copy the updated datetime.xml from the location where you downloaded it to the $SPLUNKHOME/etc directory on the Splunk platform instance. Ensure that the updated file overwrites the existing file.
Confirm that the new datetime.xml has been written to the $SPLUNKHOME/etc directory.
Restart the Splunk platform. Your Splunk platform instance is now patched.
Because we have to perform on production system so just want a confirmation?
Those are the documented steps. If you have doubts, you should test them on a non-production system (even if it means installing Splunk on your workstation).
We have tested this in our local environment and it is working.
But in this we have one setting in props.conf
MAXDAYSHENCE = 40
Is it like from the day it expires it will work only till next 40 days.?
Can you please explain me about this "MaxDAYSHENCE" i went through the document can anyone please explain it. I got bit confused and i need to perform these changes into splunk production?
In this context,
MAX_DAYS_HENCE is used to test the datetime.xml fix. It can be removed (or returned to the previous value) when testing is complete.
MAX_DAYS_HENCE tells Splunk how to treat timestamps that are newer than today. Those that are fewer than
MAX_DAYS_HENCE in the future are accepted; others are not.
I used the "app" method because we have a
Deployment Server. It is the easiest way but the
*.zip download is NOT an app, it is a package of TWO distinct apps that go to TWO separate