Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fix datetime.xml file in SPlunk

muizash
Path Finder
‎03-25-2020 06:57 PM

So I have to update my datetime.xml file in Splunk because timestamp extraction problem after 1jan 2020.

According to splunk we have to override new file provided from them to existing file.

Now my question:
I have 10I, 20SH, 2HF, 1000's of UF.
Do i need to update datetime.xml on just my Heavy forwarders?
Do i need to update new datetime.xml on all indexers as well? If yes, Please help me how to push configuration from master.

Thanks

0 Karma
Reply

PavelP
Motivator
‎03-26-2020 02:29 AM

according to https://docs.splunk.com/Documentation/Splunk/8.0.2/ReleaseNotes/FixDatetimexml2020#Impact you need to patch UFs under the following known conditions:

  • When they have been configured to process structured data, such as CSV, XML, and JSON files, using the INDEXED_EXTRACTIONS setting in props.conf
  • When they have been configured to process data locally, using the force_local_processing setting in props.conf

if you don't local process on UF, you don't need to patch them

0 Karma
Reply

anmolpatel
Builder
‎03-25-2020 10:44 PM

@muizash yes, you will need to update the datetime xml on all the Splunk endpoints.
Option 1: Download the new datetime.xml and copy it to $SPLUNK_HOME/etc/. This will replace the exisiting datetime.xml file. After that you will need to restart the Splunk instance. Now this location cannot be touched by the deployment server, so you will need to push the files out using an alternative method on all your UF's.

Option 2: Upgrade the Splunk version you're running across all instance. The new install has the updated datetime.xml file

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...