Getting Data In

Validating timestamp extraction after an update

amankhan1
Path Finder

Hi,

I have updated all my instances by updating the datetime.xml file as described here:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_and_depl...

Now I'm trying to validate the fix by following the suggested procedure i.e.

1-Paste the following text into a text editor:

date,message
19-12-31 23:58:44,Test Message  - datetime.xml testing - override - puppet managed forced restart
20-01-02 23:58:54,Test Message  - datetime.xml testing - override - puppet managed forced restart

2-Save the text as a text file, for example, test_file.csv, to a place that is accessible from all of your Splunk platform instances.
3-On the Splunk platform instance that you want to validate, adjust the MAX_DAYS_HENCE setting for the [default] stanza in the $SPLUNK_HOME/etc/system/local/props.conf configuration file.

[default]
MAX_DAYS_HENCE = 40

4-Restart the Splunk platform.
5-Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.

$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main

6-Perform a search on the text in Step 1. The text with the two digit "20" should have a timestamp with the correct two-digit year of 2020.

Now I'm stuck at step 3, I do not have a props.conf file in /etc/system/local/ of any of the instances ,furthermore I have lots of custom apps that have their own props.conf within their respective /apps/[appname] directory.

I m not sure how to validate this fix in this scenario, I was able to validate this on a single instance test server by just copying the /opt/splunk/etc/system/default/props.conf onto /opt/splunk/etc/system/local and editing the MAX_DAYS_HENCE value.

But in this production environment not sure how to go about it. If i create a props.conf under /opt/splunk/etc/system/local/ this would override all other props.conf and break things?

Any suggestions? Thanks.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can create a props.conf in any valid location, with just these two lines:

[my_datetime_test]
MAX_DAYS_HENCE = 40

I wouldn't recommend using [default] in case some other sourcetype relies on this setting in your production environment. Make sure your oneshot references this sourcetype.
Additionally, I wouldn't recommend using index main - instead, use a sandbox/temp index to not pollute your production data with test stuff.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can create a props.conf in any valid location, with just these two lines:

[my_datetime_test]
MAX_DAYS_HENCE = 40

I wouldn't recommend using [default] in case some other sourcetype relies on this setting in your production environment. Make sure your oneshot references this sourcetype.
Additionally, I wouldn't recommend using index main - instead, use a sandbox/temp index to not pollute your production data with test stuff.

amankhan1
Path Finder

Thanks Martin,
One question, in order to ensure all my instances are correctly patched , I will have to run these steps on each instance individually ,SH,Idx,Cluster master, DS, HF etc? or is there a way this test can validate all instances?

was thinking along the lines of running the process (step1 to step 5) on one of the indexers and then executing the search in step 6 on the search head.?

0 Karma

riqbal47010
Path Finder

hi aman,

I have distributed environemnt and I done this on HF and add the file into test index through oneshot. and for validation, I select all time one the date is in splunk.
in distributed environment, CM , DS are admin components and they are not participating in indexing operations. SO no need to test them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...