Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does splunk adds a Timestamp to _raw if there already is a valid one.

pinVie
Path Finder
‎08-06-2015 04:40 AM

Hello,

I have the following problem and I don't really know where to look next in order to find the issue.

I have the following Setup. DataSource ----> Univerasl Forwarder ---> Heavy Forwarder --> Index
The Logs in Data Source look like this: Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]

After indexing the logs look like this: Aug 5 11:19:00 xx.xx.xx.xx Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]

We used wireshark to look at the traffic and figured out that the UF is adding this additional timestamp+IP and I have no idea why it does that. Sourcetype is syslog.

Anybody knows this issue or is there any place I can look at, to figure this out ?

Thx a lot !!!

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎08-06-2015 09:41 AM

When using the SYSLOG forwarding feature in Splunk, the default behaviour is to prepend the forwarding hostname or IP address and the current timestamp.

For example:

# [inputs.conf][1]
no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.
* Default is false.

Of course, you'd have to examine the content of your outputs.conf as well. It is important to understand that is only applicable if forwarding SYSLOG.

To properly address this configuration item, it will be necessary to examine the configuration from each hop.

Makes sense?

0 Karma
Reply

pinVie
Path Finder
‎08-06-2015 11:12 PM

Makes a lot of sense - I'll try it as soon as I am in the office. Thx a lot !!

0 Karma
Reply

twinspop
Influencer
‎08-06-2015 09:33 AM

My guess is you're delivering the data via syslog (or syslog-like) services at some point in the data flow. Splunk has the option to disable timestamp prefixing with UDP inputs if you're using Splunk for the UDP input (presumably on the UF):

no_appending_timestamp = [true|false]

jon

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...