Getting Data In

Validating timestamp extraction after an update

Path Finder

Hi,

I have updated all my instances by updating the datetime.xml file as described here:

https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_and_depl...

Now I'm trying to validate the fix by following the suggested procedure i.e.

1-Paste the following text into a text editor:

date,message
19-12-31 23:58:44,Test Message  - datetime.xml testing - override - puppet managed forced restart
20-01-02 23:58:54,Test Message  - datetime.xml testing - override - puppet managed forced restart

2-Save the text as a text file, for example, test_file.csv, to a place that is accessible from all of your Splunk platform instances.
3-On the Splunk platform instance that you want to validate, adjust the MAXDAYSHENCE setting for the [default] stanza in the $SPLUNK_HOME/etc/system/local/props.conf configuration file.

[default]
MAX_DAYS_HENCE = 40

4-Restart the Splunk platform.
5-Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.

$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main

6-Perform a search on the text in Step 1. The text with the two digit "20" should have a timestamp with the correct two-digit year of 2020.

Now I'm stuck at step 3, I do not have a props.conf file in /etc/system/local/ of any of the instances ,furthermore I have lots of custom apps that have their own props.conf within their respective /apps/[appname] directory.

I m not sure how to validate this fix in this scenario, I was able to validate this on a single instance test server by just copying the /opt/splunk/etc/system/default/props.conf onto /opt/splunk/etc/system/local and editing the MAXDAYSHENCE value.

But in this production environment not sure how to go about it. If i create a props.conf under /opt/splunk/etc/system/local/ this would override all other props.conf and break things?

Any suggestions? Thanks.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can create a props.conf in any valid location, with just these two lines:

[my_datetime_test]
MAX_DAYS_HENCE = 40

I wouldn't recommend using [default] in case some other sourcetype relies on this setting in your production environment. Make sure your oneshot references this sourcetype.
Additionally, I wouldn't recommend using index main - instead, use a sandbox/temp index to not pollute your production data with test stuff.

View solution in original post

SplunkTrust
SplunkTrust

You can create a props.conf in any valid location, with just these two lines:

[my_datetime_test]
MAX_DAYS_HENCE = 40

I wouldn't recommend using [default] in case some other sourcetype relies on this setting in your production environment. Make sure your oneshot references this sourcetype.
Additionally, I wouldn't recommend using index main - instead, use a sandbox/temp index to not pollute your production data with test stuff.

View solution in original post

Path Finder

Thanks Martin,
One question, in order to ensure all my instances are correctly patched , I will have to run these steps on each instance individually ,SH,Idx,Cluster master, DS, HF etc? or is there a way this test can validate all instances?

was thinking along the lines of running the process (step1 to step 5) on one of the indexers and then executing the search in step 6 on the search head.?

0 Karma

Path Finder

hi aman,

I have distributed environemnt and I done this on HF and add the file into test index through oneshot. and for validation, I select all time one the date is in splunk.
in distributed environment, CM , DS are admin components and they are not participating in indexing operations. SO no need to test them.

0 Karma