datetime.xml correction added

codingWithJimmy · codingWithJimmy · commit 7b1558762443 · 2019-11-30T20:26:48.000-05:00
Added scripts used to correct the issue with datetime.xml being incorrect
diff --git a/bin/dateTimeCorrect.ps1 b/bin/dateTimeCorrect.ps1
@@ -0,0 +1,17 @@
+### Capture current values for forwarder and configure file path variables for the system
+$existingDateTime = "$SPLUNKHOME\etc\datetime.xml"
+$referenceDateTime = "$SPLUNKHOME\apps\SplunkForwarderRepairKit\datetime.xml"
+$restartDateTimeCheck = "$SPLUNKHOME\etc\restartdatetime.txt"
+
+### Filter to attach timestamps where necessary
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+
+### Check flags and take appropriate actions for host name
+if(Compare-Object -ReferenceObject $(Get-Content $existingDateTime) -DifferenceObject $(Get-Content $referenceDateTime)) {
+    Write-output "The datetime.xml file needs to be updated. Updating..." | timestamp
+    Copy-Item -Path "$existingDateTime" -Destination "$existingDateTime_$(Get-Date -Format 'MMddyyyy').bak"
+    Copy-Item -Path "$referenceDateTime" -Destination "$existingDateTime"
+    Out-File -FilePath "$restartDateTimeCheck"
+} else {
+    Write-output "The datetime.xml is the updated version. No correction necessary..."  | timestamp
+}
diff --git a/bin/dateTimeCorrect.sh b/bin/dateTimeCorrect.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+### Determine the difference in the reference datetime.xml in the app and the datetime.xml currently used by Splunk
+EXISTING_DATETIME="$SPLUNK_HOME/etc/datetime.xml"
+REFERENCE_DATETIME="$SPLUNK_HOME/etc/apps/SplunkForwarderRepairKit/datetime.xml"
+DATETIME_DIFFERENCE=$(diff $REFERENCE_DATETIME $EXISTING_DATETIME | wc -l)
+RESTART_DATETIME_CHECK="$SPLUNK_HOME/etc/restartdatetime.txt"
+
+### Determine if a correction is necessary
+if [ $DATETIME_DIFFERENCE = 0 ]; then
+	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: The datetime.xml is the updated version. No correction necessary..."
+else
+	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: The datetime.xml file needs to be updated. Updating..."
+	cp $EXISTING_DATETIME $EXISTING_DATETIME.$(date +"%m%d%Y")
+	cp $REFERENCE_DATETIME $EXISTING_DATETIME
+	touch $RESTART_DATETIME_CHECK
+fi
diff --git a/bin/restart.ps1 b/bin/restart.ps1
@@ -3,15 +3,17 @@ $inputPath = "$SPLUNKHOME\etc\restartinput.txt"
 $serverPath = "$SPLUNKHOME\etc\restartserver.txt"
 $dsPath = "$SPLUNKHOME\etc\restartds.txt"
 $guidPath = "$SPLUNKHOME\etc\restartguid.txt"
+$dateTimePath = "$SPLUNKHOME\etc\restartdatetime.txt"
 $restartInput = {$(Test-Path "$SPLUNKHOME\etc\restartinput.txt" -PathType Leaf)}
 $restartServer = {$(Test-Path "$SPLUNKHOME\etc\restartserver.txt" -PathType Leaf)}
 $restartDS = {$(Test-Path "$SPLUNKHOME\etc\restartds.txt" -PathType Leaf)}
 $restartGUID = {$(Test-Path "$SPLUNKHOME\etc\restartguid.txt" -PathType Leaf)}
+$restartDateTime = {$(Test-Path "$SPLUNKHOME\etc\restartdatetime.txt" -PathType Leaf)}
 
 ### Filter to attach timestamps where necessary
 filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
 
-if ($restartInput -eq "True" -OR $restartServer -eq "True" -OR $restartDS -eq "True" -OR $restartGUID -eq "True") {
+if ($restartInput -eq "True" -OR $restartServer -eq "True" -OR $restartDS -eq "True" -OR $restartGUID -eq "True" -OR $restartDateTime -eq "True") {
 	Write-output "One or more settings has been changed." | timestamp
 	Write-output "Restarting forwarder." | timestamp
 	if ($restartInput -eq "True") {
@@ -26,6 +28,9 @@ if ($restartInput -eq "True" -OR $restartServer -eq "True" -OR $restartDS -eq "T
 	if ($restartGUID -eq "True") {
 		Delete-Item -path "$guidPath"
 	}
+	if ($restartDateTime -eq "True") {
+		Delete-Item -path "$dateTimePath"
+	}
 	sleep 5
 	$restart = "restart"
 	& "$SPLUNKHOME\bin\splunk.exe" $restart
diff --git a/bin/restart.sh b/bin/restart.sh
@@ -4,9 +4,10 @@ RESTARTINPUT="$SPLUNK_HOME/etc/restartinput.txt"
 RESTARTSERVER="$SPLUNK_HOME/etc/restartserver.txt"
 RESTARTDS="$SPLUNK_HOME/etc/restartds.txt"
 RESTARTGUID="$SPLUNK_HOME/etc/restartguid.txt"
+RESTARTDATETIME="$SPLUNK_HOME/etc/restartdatetime.txt"
 
 ### If any files exist, restart forwarder
-if [ -f $RESTARTINPUT ] | [ -f $RESTARTSERVER ] | [ -f $RESTARTDS ] | [ -f $RESTARTGUID ]; then
+if [ -f $RESTARTINPUT ] | [ -f $RESTARTSERVER ] | [ -f $RESTARTDS ] | [ -f $RESTARTGUID ] | [ -f $RESTARTDATETIME ]; then
 	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: One or more settings has been changed."
 	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: Restarting forwarder."
 	if [ -f $RESTARTINPUT ]; then
@@ -21,6 +22,9 @@ if [ -f $RESTARTINPUT ] | [ -f $RESTARTSERVER ] | [ -f $RESTARTDS ] | [ -f $REST
 	if [ -f $RESTARTGUID ]; then
 		rm $RESTARTGUID
 	fi
+	if [ -f $RESTARTDATETIME ]; then
+		rm $RESTARTDATETIME
+	fi
 	sleep 5
 	$SPLUNK_HOME/bin/splunk restart
 else
diff --git a/datetime.xml b/datetime.xml
@@ -0,0 +1,225 @@
+<!--   Version 4.0 -->
+
+<!-- datetime.xml -->
+<!-- This file contains the general formulas for parsing date/time formats. -->
+
+<datetime>
+
+<define name="_year" extract="year">
+	<text><![CDATA[(20\d\d|19\d\d|[9012]\d(?!\d))]]></text>
+</define>
+
+<define name="_month" extract="month">
+	<text><![CDATA[(0?[1-9]|1[012])(?!:)]]></text>
+</define>
+
+<define name="_litmonth"  extract="litmonth">
+	 <text><![CDATA[(?<![\d\w])(jan|\x{3127}\x{6708}|feb|\x{4E8C}\x{6708}|mar|\x{4E09}\x{6708}|apr|\x{56DB}\x{6708}|may|\x{4E94}\x{6708}|jun|\x{516D}\x{6708}|jul|\x{4E03}\x{6708}|aug|\x{516B}\x{6708}|sep|\x{4E5D}\x{6708}|oct|\x{5341}\x{6708}|nov|\x{5341}\x{3127}\x{6708}|dec|\x{5341}\x{4E8C}\x{6708})[a-z,\.;]*]]></text>
+</define>
+
+<define name="_allmonth" extract="litmonth, month">
+	<text><![CDATA[(?:]]></text>
+        <use name="_litmonth"/>
+	<text><![CDATA[|]]></text>
+        <use name="_month"/>
+	<text><![CDATA[)]]></text>
+</define>
+
+<define name="_day"  extract="day">
+	<text><![CDATA[(0?[1-9]|[12]\d|3[01])]]></text> 
+</define>
+
+<define name="_usday" extract="day">
+	<use name="_day"/>
+	<text><![CDATA[(?:st|nd|rd|th|[,\.;])?]]></text>
+</define>
+
+<define name="_hour" extract="hour">
+	<text><![CDATA[([01]?[0-9]|[012][0-3])(?!\d)]]></text>
+</define>
+
+<define name="_minute" extract="minute">
+	<text><![CDATA[([0-6]\d)(?!\d)]]></text>
+</define>
+
+<define name="_second" extract="second">
+	<text><![CDATA[([0-6]\d)(?!\d)]]></text>
+</define>
+
+<define name="_zone" extract="zone">
+	 <text><![CDATA[((?:(?:UT|UTC|GMT(?![+-])|CET|CEST|CETDST|MET|MEST|METDST|MEZ|MESZ|EET|EEST|EETDST|WET|WEST|WETDST|MSK|MSD|IST|JST|KST|HKT|AST|ADT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|CAST|CADT|EAST|EADT|WAST|WADT|Z)|(?:GMT)?[+-]\d\d?:?(?:\d\d)?)(?!\w))?]]></text>
+</define>
+
+<define name="_ampm" extract="ampm">
+	<text><![CDATA[([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348})?]]></text>
+</define>
+
+<define name="_time" extract="hour, minute, second, subsecond, ampm, zone">
+	<text><![CDATA[(?<!\d)]]></text>
+        <use name="_hour"/>
+	<text><![CDATA[:]]></text>
+        <use name="_minute"/>
+	<text><![CDATA[:]]></text>
+        <use name="_second"/> 
+	<text><![CDATA[(?:(?: \d{4})?[:,\.](\d+))? {0,2}]]></text>
+        <use name="_ampm"/>
+	<text><![CDATA[ {0,2}]]></text>
+        <use name="_zone"/>
+	<text><![CDATA[(?!:\d)]]></text>
+</define>
+
+<define name="_hmtime" extract="hour, minute, ampm">
+	<text><![CDATA[(?<!\d)]]></text>
+        <use name="_hour"/>
+	<text><![CDATA[:]]></text>
+        <use name="_minute"/>
+	<text><![CDATA[(?: ([ap]m(?:[^A-Za-z0-9]|$)|[\x{4E0A}\x{4E0B}]\x{5348}))?(?!:[:\d])]]></text>
+</define>
+
+
+<define name="_dottime" extract="hour, minute, second, subsecond, zone">
+	<text><![CDATA[(?<![\d\.])([01]\d|2[0-3])\.]]></text>
+        <use name="_minute"/>
+	<text><![CDATA[(?:\.?]]></text>
+        <use name="_second"/>
+	<text><![CDATA[(?:[:,]\d+)?(?:\.(\d\d\d\d+))?) {0,2}]]></text>
+        <use name="_zone"/>
+	<text><![CDATA[(?![0-9\.])]]></text>
+</define>
+
+<define name="_combdatetime" extract="year, month, day, hour, minute, second, subsecond">
+        <!-- ... 20060502-000002 GMT ... -->
+	<text><![CDATA[(?<![\d\.])(20\d\d)(0\d|1[012])([012]\d|3[01])[.-]?([01]\d|2[0123])([0-6]\d)([0-6]\d)(?:\.?(\d+))?]]>\s*</text>
+        <use name="_zone"/> 
+</define>
+
+<define name="_combdatetime2" extract="year, ignored_sep, month, day, hour, minute, second, zone">
+        <!-- ... 2007-3-22 0:0:2 GMT ...' -->
+        <!-- ... 2007/3/22 0:0:2 GMT ...' -->
+        <text><![CDATA[(?<![\d\.])(20\d\d)([-/])([01]?\d)\2([012]?\d|3[01])\s+([012]?\d):([0-6]?\d):([0-6]?\d)]]>\s*</text>
+        <use name="_zone"/> 
+</define>
+
+
+
+<define name="_usdate" extract="litmonth, month, ignored_sep, day, zone, ignored_sep2, year">
+	 <text><![CDATA[(?<!\w|\d[:\.\-])]]></text>
+	 <use name="_allmonth"/> 
+         <text><![CDATA[([/\- ]) {0,2}]]></text>
+         <use name="_day"/>
+         <text><![CDATA[(?!:) {0,2}(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}]]></text>
+	 <use name="_zone"/>
+         <text><![CDATA[)?((?:\3|,) {0,2}]]></text>
+         <use name="_year"/> 
+         <text><![CDATA[)?(?!/|\w|\.\d)]]></text>
+</define>
+
+<!-- Jan 21, 09.  allows spaces with litmonth only -->
+<define name="_usdate1" extract="litmonth, ignored_sep, day, zone, ignored_sep2, year">
+	 <text><![CDATA[(?<!\w|\d[:\.\-])]]></text>
+	 <use name="_litmonth"/> 
+         <text><![CDATA[([/\- ]) {0,2}]]></text>
+         <use name="_day"/>
+         <text><![CDATA[(?!:) {0,2}(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}]]></text>
+	 <use name="_zone"/>
+         <text><![CDATA[)?((?:\2|,) {0,2}]]></text>
+         <use name="_year"/> 
+         <text><![CDATA[)?(?!/|\w|\.\d)]]></text>
+</define>
+
+<!-- 10/21/09. doesn't allow spaces (e.g. 10 21 09) with numeric month -->
+<define name="_usdate2" extract="month, ignored_sep, day, zone, ignored_sep2, year">
+	 <text><![CDATA[(?<!\w|\d[:\.\-])]]></text>
+	 <use name="_month"/> 
+         <text><![CDATA[([/\-])]]></text>
+         <use name="_day"/>
+         <text><![CDATA[(?!:)(?:\d\d:\d\d:\d\d(?:[\.\,]\d+)? {0,2}]]></text>
+	 <use name="_zone"/>
+         <text><![CDATA[)?((?:\2)]]></text>
+         <use name="_year"/> 
+         <text><![CDATA[)?(?!/|\w|\.\d)]]></text>
+</define>
+
+
+<define name="_isodate" extract="year, ignored_sep, litmonth, month, day">
+        <text><![CDATA[(?<![\w\d])]]></text>
+        <use name="_year"/>
+	<text><![CDATA[([\./\- ])]]></text>
+        <use name="_allmonth"/>
+	<text><![CDATA[(?!\d)(?:[\./\- ] {0,2})?]]></text>
+        <use name="_day"/>
+        <text><![CDATA[(?!/)(?:(?=T)|(?!\w)(?!\.\d))]]></text>
+</define>
+
+<!-- eurodate format.  period/dot delim separated out to eurodate2 -->
+<define name="_eurodate1" extract="day, ignored_sep, litmonth, month, year">
+        <text><![CDATA[(?<![\w\.])]]></text>
+        <use name="_usday"/> 
+	<text><![CDATA[([\- /]) {0,2}]]></text>
+        <use name="_allmonth"/>
+        <text><![CDATA[\2 {0,2}]]></text>
+        <use name="_year"/>
+        <text><![CDATA[(?![\w\.])]]></text>
+</define>
+
+<!-- just period/dot delimiter.  do not allow any spaces after dots (e.g. "version 5.4. 10" -->
+<define name="_eurodate2" extract="day, litmonth, month, year">
+        <text><![CDATA[(?<![\w\.])]]></text>
+        <use name="_usday"/> 
+	<text><![CDATA[\.]]></text>
+        <use name="_allmonth"/>
+        <text><![CDATA[\.]]></text>
+        <use name="_year"/>
+        <text><![CDATA[(?![\w\.])]]></text>
+</define>
+
+
+<define name="_bareurlitdate" extract="day, litmonth, year">
+	<text><![CDATA[(\d\d?)\|\|(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)\|\|(20\d\d)]]></text>
+</define>
+
+<define name="_orddate" extract="year, ord">
+	<text><![CDATA[\s([01]\d)([0123]\d\d)\s]]></text>
+</define>
+
+<!-- due to high number of false positive matches, this format is
+     limited to special cases.  either at the start of a line or in
+     filename matches only, by prefixing with a "source::" -->
+
+<!-- don't allow multiple spaces after mashed date.  indicates number in column -->
+<define name="_masheddate" extract="year, month, day">
+	<text><![CDATA[(?:^|source::).*?(?<!\d|\d\.|-)(?:20)?([9012]\d)(0\d|1[012])([012]\d|3[01])(?!\d|-| {2,})]]></text>
+</define>
+<define name="_masheddate2" extract="month, day, year">
+	<text><![CDATA[(?:^|source::).*?(?<!\d|\d\.)(0\d|1[012])([012]\d|3[01])(?:20)?([9012]\d)(?!\d| {2,})]]></text>
+</define>
+
+<define name="_utcepoch" extract="utcepoch, subsecond">
+        <!-- update regex before '2023' -->
+	<text><![CDATA[((?<=^|[\s#,"=\(\[\|\{])(?:1[0123456]|9)\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])]]></text>
+</define>
+
+<timePatterns>
+      <use name="_time"/>
+      <use name="_hmtime"/>
+      <use name="_hmtime"/>
+      <use name="_dottime"/>
+      <use name="_combdatetime"/>
+      <use name="_utcepoch"/>
+      <use name="_combdatetime2"/>
+</timePatterns>
+<datePatterns>
+      <use name="_usdate1"/> 
+      <use name="_usdate2"/> 
+      <use name="_isodate"/>
+      <use name="_eurodate1"/> 
+      <use name="_eurodate2"/> 
+      <use name="_bareurlitdate"/> 
+      <use name="_orddate"/>
+      <use name="_combdatetime"/>
+      <use name="_masheddate"/>
+      <use name="_masheddate2"/>
+      <use name="_combdatetime2"/>
+</datePatterns>
+
+</datetime>
diff --git a/default/inputs.conf b/default/inputs.conf
@@ -62,6 +62,23 @@ interval = -1
 source = ds_remove_output
 script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\dsRemove.ps1"
 
+### Scripts used to correct issues with datetime.xml
+### https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020
+[script://./bin/dateTimeCorrect.sh]
+disabled = 1
+index = _internal
+sourcetype = datetime_correct:output
+interval = -1
+source = datetime_correct_output
+
+[powershell://dateTimeCorrect]
+disabled = 1
+index = _internal
+sourcetype = datetime_correct:output
+interval = -1
+source = datetime_correct_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\dateTimeCorrect.ps1"
+
 ### Admin password change scripts
 [script://./bin/pwchange.sh]
 disabled = 1
