I read in syslog data from a network appliance that uses space delimited fields and have been experiencing an issue in which the field order is periodically offset. I eventually narrowed this down to the first 9 days of the month. The trouble is Splunk is appending a timestamp on my events but pads a space in the Date field for single digit days (e.g. 1-9). This throws the field order off and I end up having to alternate between two transforms.conf files I prepared.

The first example works fine for double digit days. The alternate has to be swapped in for single digit days and basically ignores the extra space by interpreting the field twice.

Normal transforms.conf file

FIELDS=Month,Day,Systime,host,month,day,systime,format,time,duration,server_ip,uri_host,clientip,action,bytes,method,uri_path,username,hierarchy,content_type

Sep 24 23:59:59 192.168.1.12 Sep 24 23:59:59 AN_SQUID_VIP_HOST_LOG 1380081599.897 1749 192.168.1.43 www.website.com 127.0.0.1 TCP_MISS/200 76878 GET /page5 - DIRECT/192.168.1.32 -

Alternate transforms.conf file

FIELDS=Month,Day,Day,Systime,host,month,day,systime,format,time,duration,server_ip,uri_host,clientip,action,bytes,method,uri_path,username,hierarchy,content_type

Oct  2 18:10:23 192.168.1.12 Sep 24 23:59:59 AN_SQUID_VIP_HOST_LOG 1380081599.897 1749 192.168.1.43 www.website.com 127.0.0.1 TCP_MISS/200 76878 GET /page5 - DIRECT/192.168.1.32 -

I later found I could solve this behavior by removing the timestamp and setting the "no_appending_timestamp" attribute to a true value in the inputs.conf file on my Universal Forwarder. The problem with this solution is that it also removes the host field so I don't know which source IP or device where the event is coming from.

My question is, is there another way to remove the timestamp but keep the host field?

Here is my current inputs.conf file

INPUTS.CONF

[default]
host = splunk-uf

[udp://514]
sourcetype = syslog
connection_host = ip
queue = parsingQueue
no_appending_timestamp = true