Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does splunk adds a Timestamp to _raw if there already is a valid one.

pinVie
Path Finder
‎08-06-2015 04:40 AM

Hello,

I have the following problem and I don't really know where to look next in order to find the issue.

I have the following Setup. DataSource ----> Univerasl Forwarder ---> Heavy Forwarder --> Index
The Logs in Data Source look like this: Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]

After indexing the logs look like this: Aug 5 11:19:00 xx.xx.xx.xx Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]

We used wireshark to look at the traffic and figured out that the UF is adding this additional timestamp+IP and I have no idea why it does that. Sourcetype is syslog.

Anybody knows this issue or is there any place I can look at, to figure this out ?

Thx a lot !!!

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎08-06-2015 09:41 AM

When using the SYSLOG forwarding feature in Splunk, the default behaviour is to prepend the forwarding hostname or IP address and the current timestamp.

For example:

# [inputs.conf][1]
no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.
* Default is false.

Of course, you'd have to examine the content of your outputs.conf as well. It is important to understand that is only applicable if forwarding SYSLOG.

To properly address this configuration item, it will be necessary to examine the configuration from each hop.

Makes sense?

0 Karma
Reply

pinVie
Path Finder
‎08-06-2015 11:12 PM

Makes a lot of sense - I'll try it as soon as I am in the office. Thx a lot !!

0 Karma
Reply

twinspop
Influencer
‎08-06-2015 09:33 AM

My guess is you're delivering the data via syslog (or syslog-like) services at some point in the data flow. Splunk has the option to disable timestamp prefixing with UDP inputs if you're using Splunk for the UDP input (presumably on the UF):

no_appending_timestamp = [true|false]

jon

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...