Splunk has revealed a bug in its platform that would fail to recognise timestamps starting on 1 January 2020, drawing similarities to the infamous Y2K bug.
The bug stems from a faulty XML file, datetime.xml, that the Splunk platform input processor uses to determine the right timestamps based on incoming data.
In the release notes for Splunk version 8.0.0, the data-crunching software vendor said, “Beginning on January 1, 2020, un-patched Splunk platform instances will be unable to recognize timestamps from events where the date contains a two-digit year. This means data that meets this criteria will be indexed with incorrect timestamps.”
The issue affects all unpatched Splunk platform instance types on all operating systems, including Splunk Cloud, Light and Enterprise, as well as Splunk universal forwarders under some conditions.
On unpatched instances, the file supports the extraction of two-digit years of "19", but starting 1 January 2020, the instances will treat incoming data as having an invalid timestamp year, and could either add timestamps using 2019 or misinterpret the date incorrectly and add a timestamp with the misinterpreted date.
Some of the issues could result in incorrect timestamping of incoming data, incorrect rollover of data buckets due to the incorrect timestamping, incorrect retention of data overall, and incorrect search results due to data ingested with incorrect timestamps.
Splunk is urging users to either upgrade their Splunk platform instances to a version with an updated datetime.xml file, download the new XML file and apply it to each Splunk platform instance, or make modifications to the existing file to prevent data loss.
Those with a large on-premises deployment of several Splunk platform instances can contact Splunk Professional Services.
Instructions on how to patch the bug and more information can be found on the Splunk 8.0.0 release notes.
In case you need a reminder, the Y2K bug was the term used to describe problems related to the date transition in computer systems from 1999 to 2000, where many thought it would bring down computer systems infrastructure globally.