Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Trending KB Articles

EDNS-and-CDNs.jpg

#11329: Splunk/Infoblox-Reporting, Timestamp recognition of dates with two-digit years fails beginni

Published 12/16/2019   |    Updated 12/23/2019 01:20 PM

Overview

Splunk/Infoblox-Reporting, Timestamp recognition of dates with two-digit years fails beginning January 1, 2020


Summary

Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets this criteria will be indexed with incorrect timestamps.


Customer Environment

Infoblox grid with single indexer, single-site/multi-site clustered reporting server deployments.


Description and Impact

This issue affects all un-patched Splunk platform instance types, on any operating system.
Indexer and Indexer Clusters, SearchHead and SH Clusters, Forwarders, Cluster Masters, License Masters

The issue appears when the input source is configured to automatically determine timestamps, and can result in one or more of the following problems:
- Incorrect timestamping of incoming data
- Incorrect rollover of data buckets due to the incorrect timestamping
- Incorrect retention of data overall
- Incorrect search results due to data ingested with incorrect timestamps

The Splunk platform input processor uses a file called datetime.xml to help the processor correctly determine timestamps based on incoming data. The file uses regular expressions to extract many different types of dates and timestamps from incoming data.
 
On un-patched Splunk platform instances, the file supports the extraction of two-digit years of "19", that is, up to December 31, 2019. Beginning on January 1, 2020, un-patched instances will erroneously treat incoming data as having an invalid timestamp year, and could either add timestamps using the current year, or misinterpret the date incorrectly and add a timestamp with the misinterpreted date.



Affected NIOS Versions

All 8.0.x, 8.1.x, 8.2.x version
All 8.3.x versions less than or equal to 8.3.6
All 8.4.x versions less than or equal to 8.4.5
Not applicable for 8.5.x version and above
Not applicable for versions older than 8.x



Resolution

Infoblox used test vectors provided by Splunk for issue reproduction and validation.
Infoblox predefined data sources do not include two-digit years and are therefore not affected.
However, we highly recommend customers to upgrade their NIOS to patched versions as they become available or install the attached Generic hotfixes.

Showing results for 
Search instead for 
Did you mean: