Additionally, the company said in an advisory, that from 12:26:39 UTC on 13 September 2020, unpatched Splunk platforms would not recognise timestamps from events based on UNIX time.
Unpatched instances of the following software are affected:
- Splunk Cloud
- Splunk Light
- Splunk Enterprise indexers
- Splunk Enterprise heavy forwarders
- Splunk Enterprise search heads: When they get data inputs from any API and When they forward internal data to other Splunk Enterprise indexers.
- Splunk universal forwarders: When they process structured data such as comma-separated values (CSV) files, with the INDEXED_EXTRACTIONS setting in props.conf and when they process data inputs prior to forwarding, with the force_local_processing = true setting in props.conf.
"There is no method to correct the timestamps after the Splunk platform has ingested the data," Splunk warned.
The company said customers would receive a fix for this issue automatically. On-premises customers could download an updated datetime.xml file and apply it; manually modify existing installations or upgrade to a version which had the right versions of datetime.xml.
Full instructions for updating to avoid the issue are available in the advisory.