Two-digit timestamps in datetime.xml affects Endpoint Detection and Response (EDR) app for Splunk

book

Article ID: 185096

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

Splunk recently announced an issue with their datetime.xml that can affect SEDR customers using the Splunk app starting January 1, 2020.  Customers using Splunk on-prem and Symantec’s Splunk app may see problems ingesting SEDR logs starting January 1, 2020, unless they update the datetime.xml file on their on-prem Splunk servers.

Resolution

Details of the Splunk issues and patch options can be found here: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020

Splunk Cloud customers will receive the fix on their Splunk Cloud instances automatically.