Hi,

I have updated all my instances by updating the datetime.xml file as described here:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_and_depl...

Now I'm trying to validate the fix by following the suggested procedure i.e.

1-Paste the following text into a text editor:

date,message
19-12-31 23:58:44,Test Message  - datetime.xml testing - override - puppet managed forced restart
20-01-02 23:58:54,Test Message  - datetime.xml testing - override - puppet managed forced restart

2-Save the text as a text file, for example, test_file.csv, to a place that is accessible from all of your Splunk platform instances.
3-On the Splunk platform instance that you want to validate, adjust the MAX_DAYS_HENCE setting for the [default] stanza in the $SPLUNK_HOME/etc/system/local/props.conf configuration file.

[default]
MAX_DAYS_HENCE = 40

4-Restart the Splunk platform.
5-Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.

$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main

6-Perform a search on the text in Step 1. The text with the two digit "20" should have a timestamp with the correct two-digit year of 2020.

Now I'm stuck at step 3, I do not have a props.conf file in /etc/system/local/ of any of the instances ,furthermore I have lots of custom apps that have their own props.conf within their respective /apps/[appname] directory.

I m not sure how to validate this fix in this scenario, I was able to validate this on a single instance test server by just copying the /opt/splunk/etc/system/default/props.conf onto /opt/splunk/etc/system/local and editing the MAX_DAYS_HENCE value.

But in this production environment not sure how to go about it. If i create a props.conf under /opt/splunk/etc/system/local/ this would override all other props.conf and break things?

Any suggestions? Thanks.