Insights | Integrity360

Splunk timestamp advisory

Written by The Integrity360 Team | 27 November 2019 15:40:41 Z

SPLUNK PRODUCT TIMESTAMP ISSUE 

As you may already be aware, this week Splunk released an advisory to inform clients of a time-sensitive issue identified in all current versions of Splunk Enterprise, Splunk Light and Splunk Cloud. This issue can potentially cause significant data ingestion issues if action is not taken prior to January 1, 2020. We'd like to advise our clients of the need to address this issue before that date.

The Impact

Beginning January 1, 2020, timestamps using two-digit years will stop being correctly recognised and can cause inaccurate, unsearchable or prematurely-deleted data. Full details around this issue, including workaround and product fixes, are documented in the Release Notes for each Splunk verison.

Action Needed

If you are an affected Splunk customer, you should already have received an email notification from Splunk alerting you of the action needed. 

Splunk Cloud instances will automatically be updated prior to January 1, 2020. A Splunk Support representative will advise you of an upgrade date.

All Splunk Enterprise and Splunk Light customers and any Splunk Cloud customers using Forwarders, must apply one of the following changes to every impacted instance prior to January 1, 2020 to avoid the issue:  

  • Download and install an updated version of the datetime.xml file on each instance.  
  • Make modifications to the existing datetime.xml on each instance. 
  • Download and install an upgraded version of Splunk Enterprise or Splunk Light that contains the fixed datetime.xml as each release becomes availalble. Refer back to the Release Notes for updated versions as they are released.

Should you require assistance with applying the fix or upgrading, please contact your account manager or email info@integrity360.com. As always, Integrity360 Managed Security Service customers will already be covered through our proactive security approach.

End of Support Reminder

We’d also like to remind clients that Splunk Enterprise version 6.x & version 7.0 have now gone end of support and should be upgraded to a supported version. If you have not already upgraded and require assistance please contact your account manager. Full Splunk support dates can be found on the Splunk website.