recently i notice log send by my switch to splunk is indexed by double date & time format, my switch date and my splunk date. for example
Oct 18 01:12:36 172.16.12.6 Oct 18 01:11:36 SW-NUS1-LT12A SW-NUS1-LT12A: last message repeated 66 times
as far i remember when i first install splunk it didnt format like this, thx
it doesnt work, still the same, strangely it only happen to my juniper ex switch
From inputs.conf documentation:
no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.
* Default is false.
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Inputsconf
the log i see in my splunk server is like this
Oct 18 01:12:36 172.16.12.6 Oct 18 01:11:36 SW-NUS1-LT12A SW-NUS1-LT12A: last message repeated 66 times
Which is if you see it have double date "Oct 18 01:12:36 172.16.12.6 Oct 18 01:11:36" data,
as far i remember when i first install splunk the log is only have one timestamp
@supernana, I am not sure what your question is?