“There is no method to correct the timestamps after the Splunk platform has ingested the data.”
Big data analytics platform Splunk admits it has come down with a dose of the millennium bug, as its timestamping feature isn’t ready for the year 2020 and needs a patch to avoid erroneous data ingestion.
Splunk is a San Francisco-based data intelligence platform provider that focus on monitoring software and business analytics, it currently has a customer base of approximately 19,000 users. The firm collects and indexes data in real-time while placing it into a searchable repository. Users can create custom graphs and reports from the dashboard, which has a focus on data visualisation.
The Y2K-analogous issue on the Splunk platform is being caused by its input processor which uses a file called datatime.xml, this file normally helps the processor correctly establish timestamps for incoming data. However, that file will only work up to December 31, 2019; after which it will incorrectly timestamp incoming date.
If you are affected by this you need to patch the platform before the New Year as Splunk is warning that: “There is no method to correct the timestamps after the Splunk platform has ingested the data. If you ingest data with an un-patched Splunk platform instance, you must patch the instance and re-ingest the data for timestamps to be correct.”
Users running unpatched versions of the Splunk platform and its instances will face significant issues post-2020 if they configure the input source to automatically determine timestamps; doing so can cause the user to experience difficulties searching through ingested data and incorrect rollover of data buckets.
In order to fix this issue Splunk has released a patched version of the datatime.xml file, which can be download here as a ZIP file. With the exception of Splunk Cloud customers who will receive the fix automatically.
To patch the issue users need to do the following;
- Download the datetime.zip timestamp recognition ZIP file from splunk.com.
- Unarchive the ZIP file to a location that is accessible from all of your Splunk platform instances.
- On each Splunk platform instance, do the following:
- Stop the Splunk platform.
- Using your operating system file management utilities, copy the updated datetime.xml from the location where you downloaded it to the $SPLUNK_HOME/etc directory on the Splunk platform instance. Ensure that the updated file overwrites the existing file.
- Confirm that the new datetime.xml has been written to the $SPLUNK_HOME/etc directory.
- Restart the Splunk platform. Your Splunk platform instance is now patched.
For users and developers that are more technically savvy or are running an older version of the Splunk enterprise platform that they do not or cannot upgrade it is possible to manually overwrite the previous datetime.xml via the operating system management tools. For that step by step process and the related strings see the bottom of Splunk’s warning notice.