Splunk Enterprise

How do we test the upgrade for the 2020 datetime issue?

danielbb
Motivator

Based on Which forwarder version sloves the timestamp recognition of dates with two-digit years fails beginni...

We went ahead and upgraded to 7.3.3. How do we verify that we are ready for 2020?

Tags (1)

niketn
Legend

@danielbb create a temporary index and feed test data with events having yy-mm-dd and other two digit formats like dd-mm-yy etc which you want to test. Also set MAX_DAYS_HENCE to allow future date events to be indexed. If the data is getting inserted correctly then it proves the fix works.

Refer to Splunk Documentation for validation steps: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020#Validate_timesta...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

danielbb
Motivator

You know, when running - ./splunk btool props list --debug | grep MAX_DAYS_HENCE it gives me $SPLUNK_HOME/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2 1547 times. Why so many?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...