Getting Data In

Validating timestamp extraction after an update

amankhan1
Path Finder

Hi,

I have updated all my instances by updating the datetime.xml file as described here:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_and_depl...

Now I'm trying to validate the fix by following the suggested procedure i.e.

1-Paste the following text into a text editor:

date,message
19-12-31 23:58:44,Test Message  - datetime.xml testing - override - puppet managed forced restart
20-01-02 23:58:54,Test Message  - datetime.xml testing - override - puppet managed forced restart

2-Save the text as a text file, for example, test_file.csv, to a place that is accessible from all of your Splunk platform instances.
3-On the Splunk platform instance that you want to validate, adjust the MAX_DAYS_HENCE setting for the [default] stanza in the $SPLUNK_HOME/etc/system/local/props.conf configuration file.

[default]
MAX_DAYS_HENCE = 40

4-Restart the Splunk platform.
5-Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.

$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main

6-Perform a search on the text in Step 1. The text with the two digit "20" should have a timestamp with the correct two-digit year of 2020.

Now I'm stuck at step 3, I do not have a props.conf file in /etc/system/local/ of any of the instances ,furthermore I have lots of custom apps that have their own props.conf within their respective /apps/[appname] directory.

I m not sure how to validate this fix in this scenario, I was able to validate this on a single instance test server by just copying the /opt/splunk/etc/system/default/props.conf onto /opt/splunk/etc/system/local and editing the MAX_DAYS_HENCE value.

But in this production environment not sure how to go about it. If i create a props.conf under /opt/splunk/etc/system/local/ this would override all other props.conf and break things?

Any suggestions? Thanks.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can create a props.conf in any valid location, with just these two lines:

[my_datetime_test]
MAX_DAYS_HENCE = 40

I wouldn't recommend using [default] in case some other sourcetype relies on this setting in your production environment. Make sure your oneshot references this sourcetype.
Additionally, I wouldn't recommend using index main - instead, use a sandbox/temp index to not pollute your production data with test stuff.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can create a props.conf in any valid location, with just these two lines:

[my_datetime_test]
MAX_DAYS_HENCE = 40

I wouldn't recommend using [default] in case some other sourcetype relies on this setting in your production environment. Make sure your oneshot references this sourcetype.
Additionally, I wouldn't recommend using index main - instead, use a sandbox/temp index to not pollute your production data with test stuff.

amankhan1
Path Finder

Thanks Martin,
One question, in order to ensure all my instances are correctly patched , I will have to run these steps on each instance individually ,SH,Idx,Cluster master, DS, HF etc? or is there a way this test can validate all instances?

was thinking along the lines of running the process (step1 to step 5) on one of the indexers and then executing the search in step 6 on the search head.?

0 Karma

riqbal47010
Path Finder

hi aman,

I have distributed environemnt and I done this on HF and add the file into test index through oneshot. and for validation, I select all time one the date is in splunk.
in distributed environment, CM , DS are admin components and they are not participating in indexing operations. SO no need to test them.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...