Timestamp issues in Splunk
Recently Splunk announced an issue with timestamp recognition in nearly every Splunk product.
From the first of January Splunk will no longer recognise timestamps if they are represented as 2 numbers (instead of 4 numbers). I.e. 1-1-2020 will be recognized as 1 January 2020 but 1-1-20 will not be recognized at all. From 13th September 2020 there will be a second problem. From this date Splunk will not be able to recognise events with timestamps based on UNIX epoch because this will go from 1599999999 to 1600000000.
After indexation timestamps cannot be adjusted anymore. Therefore, it is highly important to implement one of the existing solutions as soon as possible. You can find all necessary information about this announcement on this Splunk webpage. There are 4 solutions for this problem
- Upgrade Splunk to another version. You can upgrade to version 7.3.3 and the future version 8.0.1 which will be available in the near future.
- Install a special app . This app will temporarily overwrite the datetime.xml until you can upgrade to 7.3.3 of 8.0.1.
- Download and a customised datetime.xml in our Splunk environment.
- Manually fit the datetime.xml on your environment.
It depends on you infrastructure, current Splunk version and organisation which solution will be the best for you. In case you need any help, we are very happy to support you to choose the best solution for your specific situation.
If you want to know more, please contact us at +31 (0)88 018 4100 or contact one of our experts!