Hello,
I have the following problem and I don't really know where to look next in order to find the issue.
I have the following Setup. DataSource ----> Univerasl Forwarder ---> Heavy Forwarder --> Index
The Logs in Data Source look like this: Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]
After indexing the logs look like this: Aug 5 11:19:00 xx.xx.xx.xx Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]
We used wireshark to look at the traffic and figured out that the UF is adding this additional timestamp+IP and I have no idea why it does that. Sourcetype is syslog.
Anybody knows this issue or is there any place I can look at, to figure this out ?
Thx a lot !!!
When using the SYSLOG forwarding feature in Splunk, the default behaviour is to prepend the forwarding hostname or IP address and the current timestamp.
For example:
# [inputs.conf][1]
no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.
* Default is false.
Of course, you'd have to examine the content of your outputs.conf as well. It is important to understand that is only applicable if forwarding SYSLOG.
To properly address this configuration item, it will be necessary to examine the configuration from each hop.
Makes sense?
Makes a lot of sense - I'll try it as soon as I am in the office. Thx a lot !!
My guess is you're delivering the data via syslog (or syslog-like) services at some point in the data flow. Splunk has the option to disable timestamp prefixing with UDP inputs if you're using Splunk for the UDP input (presumably on the UF):
no_appending_timestamp = [true|false]
jon