View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Hardware
November 26, 2019

New Year New Y2K as Splunk Timestamp Gets Confused by the Passage of Time

“There is no method to correct the timestamps after the Splunk platform has ingested the data."

By CBR Staff Writer

Big data analytics platform Splunk admits it has come down with a dose of the millennium bug, as its timestamping feature isn’t ready for the year 2020 and needs a patch to avoid erroneous data ingestion.

Splunk is a San Francisco-based data intelligence platform provider that focus on monitoring software and business analytics, it currently has a customer base of approximately 19,000 users. The firm collects and indexes data in real-time while placing it into a searchable repository. Users can create custom graphs and reports from the dashboard, which has a focus on data visualisation.

The Y2K-analogous issue on the Splunk platform is being caused by its input processor which uses a file called datatime.xml, this file normally helps the processor correctly establish timestamps for incoming data. However, that file will only work up to December 31, 2019; after which it will incorrectly timestamp incoming date.

If you are affected by this you need to patch the platform before the New Year as Splunk is warning that: “There is no method to correct the timestamps after the Splunk platform has ingested the data. If you ingest data with an un-patched Splunk platform instance, you must patch the instance and re-ingest the data for timestamps to be correct.”

Splunk Timestamp

Splunk versions in need of patch Credit: Splunk

Splunk Timestamp

Users running unpatched versions of the Splunk platform and its instances will face significant issues post-2020 if they configure the input source to automatically determine timestamps; doing so can cause the user to experience difficulties searching through ingested data and incorrect rollover of data buckets.

In order to fix this issue Splunk has released a patched version of the datatime.xml file, which can be download here as a ZIP file. With the exception of Splunk Cloud customers who will receive the fix automatically.

To patch the issue users need to do the following;

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
  • Download the timestamp recognition ZIP file from
  • Unarchive the ZIP file to a location that is accessible from all of your Splunk       platform instances.
  • On each Splunk platform instance, do the following:
  • Stop the Splunk platform.
  • Using your operating system file management utilities, copy the updated   datetime.xml from the location where you downloaded it to the   $SPLUNK_HOME/etc directory on the Splunk platform instance. Ensure that the   updated file overwrites the existing file.
  • Confirm that the new datetime.xml has been written to the $SPLUNK_HOME/etc   directory.
  • Restart the Splunk platform. Your Splunk platform instance is now patched.

For users and developers that are more technically savvy or are running an older version of the Splunk enterprise platform that they do not or cannot upgrade it is possible to manually overwrite the previous datetime.xml via the operating system management tools. For that step by step process and the related strings see the bottom of Splunk’s warning notice.

See Also: Anti-Money Laundering Start-Up TookiTaki Raise £9.8 Million

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.