Hi,
I have updated all my instances by updating the datetime.xml file as described here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020#Download_and_deploy_an_app_that_temporarily_replaces_the_defective_datetime.xml_file_with_the_fixed_file
Now Im trying to validate the fix by following the suggested procedure i.e.
**1-Paste the following text into a text editor:**
date,message
19-12-31 23:58:44,Test Message - datetime.xml testing - override - puppet managed forced restart
20-01-02 23:58:54,Test Message - datetime.xml testing - override - puppet managed forced restart
**2-Save the text as a text file, for example, test_file.csv, to a place that is accessible from all of your Splunk platform instances.**
**3-On the Splunk platform instance that you want to validate, adjust the MAX_DAYS_HENCE setting for the [default] stanza in the $SPLUNK_HOME/etc/system/local/props.conf configuration file.**
[default]
MAX_DAYS_HENCE = 40
**4-Restart the Splunk platform**.
**5-Using the Splunk CLI, add the text file you saved earlier as a oneshot monitor to the Splunk platform instance that you want to validate.**
$SPLUNK_HOME/bin/splunk add oneshot -source test_file.csv -sourcetype csv -index main
**6-Perform a search on the text in Step 1. The text with the two digit "20" should have a timestamp with the correct two-digit year of 2020.**
Now I'm stuck at step 3, I do not have a props.conf file in /etc/system/local/ of any of the instances ,furthermore I have lots of custom apps that have their own `props.conf` within their respective /apps/[appname] directory.
I m not sure how to validate this fix in this scenario, I was able to validate this on a single instance test server by just copying the `/opt/splunk/etc/system/default/props.conf` onto `/opt/splunk/etc/system/local` and editing the MAX_DAYS_HENCE value.
But in this production environment not sure how to go about it. If i create a props.conf under `/opt/splunk/etc/system/local/` this would override all other `props.conf` and break things?
Any suggestions? Thanks.
↧