One of the core functions in Splunk is the timestamp for data, since Splunk arranges data according to time. Timestamps are formatted in many different ways, and Splunk therefore includes functions for configuration of correct parsing of timestamps.
The error
Splunk has identified an error, which means that data can become absent or inconsistent in use.
The error is to be found in the way Splunk manages timestamps with two-digit years following January 1, 2020. This means that you might experience that Splunk comprehends year 2020 as 1920, which may lead to the previously mentioned inconsistency.
Versions
The error applies to the following Splunk products:
Splunk Enterprise Security
Splunk Light
Splunk Cloud (relevant for the customers, who are using forwarders)
The error is found in all versions, except for the newest releases. It has already been corrected in version 7.3.3 (the only one available at this point containing the fix).
In addition, the error will be corrected in the following future releases:
- 8.0.1
- 7.2.9.1
- 7.1.10
The solution
At this point there are three possible solutions for error correction:
- Upgrading to a version of Splunk in which the error has been corrected
- Upgrading the configuration with parsing of timestamps
- Adjusting the configuration with parsing of timestamps
Netic recommends that all customers upgrade to a version in which the error has been corrected. In this way, other less critical errors will be corrected as well.
If you want Netic's assistance with the upgrade or error correction, the task is naturally dependent on the size of the Splunk installation. Typically, an upgrade will require approx. 2-4 hours.
You can read more about the error in Splunk's release notes here: https://docs.splunk.com/Documentation/Splunk/8.0.0
Please contact Netic for additional information, or if you need assistance with the upgrade or error correction.