I have updated all my instances by updating the datetime.xml file as described here:
Now I'm trying to validate the fix by following the suggested procedure i.e.
1-Paste the following text into a text editor:
19-12-31 23:58:44,Test Message - datetime.xml testing - override - puppet managed forced restart
20-01-02 23:58:54,Test Message - datetime.xml testing - override - puppet managed forced restart
2-Save the text as a text file, for example, test_file.csv, to a place that is accessible from all of your Splunk platform instances.
3-On the Splunk platform instance that you want to validate, adjust the MAX_DAYS_HENCE setting for the [default] stanza in the $SPLUNK_HOME/etc/system/local/props.conf configuration file.
MAX_DAYS_HENCE = 40
4-Restart the Splunk platform.
5-Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.
$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main
6-Perform a search on the text in Step 1. The text with the two digit "20" should have a timestamp with the correct two-digit year of 2020.
Now I'm stuck at step 3, I do not have a props.conf file in /etc/system/local/ of any of the instances ,furthermore I have lots of custom apps that have their own props.conf within their respective /apps/[appname] directory.
I m not sure how to validate this fix in this scenario, I was able to validate this on a single instance test server by just copying the /opt/splunk/etc/system/default/props.conf onto /opt/splunk/etc/system/local and editing the MAX_DAYS_HENCE value.
But in this production environment not sure how to go about it. If i create a props.conf under /opt/splunk/etc/system/local/ this would override all other props.conf and break things?
Any suggestions? Thanks.
... View more