So I have to update my datetime.xml file in Splunk because timestamp extraction problem after 1jan 2020.
According to splunk we have to override new file provided from them to existing file.
Now my question:
I have 10I, 20SH, 2HF, 1000's of UF.
Do i need to update datetime.xml on just my Heavy forwarders?
Do i need to update new datetime.xml on all indexers as well? If yes, Please help me how to push configuration from master.
Thanks
according to https://docs.splunk.com/Documentation/Splunk/8.0.2/ReleaseNotes/FixDatetimexml2020#Impact you need to patch UFs under the following known conditions:
if you don't local process on UF, you don't need to patch them
@muizash yes, you will need to update the datetime xml on all the Splunk endpoints.
Option 1: Download the new datetime.xml and copy it to $SPLUNK_HOME/etc/. This will replace the exisiting datetime.xml file. After that you will need to restart the Splunk instance. Now this location cannot be touched by the deployment server, so you will need to push the files out using an alternative method on all your UF's.
Option 2: Upgrade the Splunk version you're running across all instance. The new install has the updated datetime.xml file