Solved: Why are a timestamp and hostname prepended to my U...

Jason · ‎12-01-2010

I have Splunk listening to a handful of UDP ports for different types of syslog data. All events that come in, in addition to a timestamp and hostname in the event already, are being prepended by another timestamp and a hostname or IP.

The timestamp can be far off from the actual event, and appears to be the indexer's time(zone), where the event could be generated by a device on the other side of the globe.

This is messing with my TZ settings. How do I tell Splunk to stop doing this?

Jason · ‎12-01-2010

This is a default behavior of Splunk, for UDP inputs. To turn off, in the appropriate inputs.conf file, under the appropriate [udp://...] stanza, add no_appending_timestamp = true.

View solution in original post

Jason · ‎12-01-2010

This is a default behavior of Splunk, for UDP inputs. To turn off, in the appropriate inputs.conf file, under the appropriate [udp://...] stanza, add no_appending_timestamp = true.

Jason · ‎12-02-2010

I see - I have noticed this. It has never been a problem before, but four of the five client UDP inputs have their own hostname and timestamp that messes with TZ settings because the stamp is always local.

gkanapathy · ‎12-02-2010

This is a default behavior of all syslog servers, including syslogd, rsyslog, and syslog-ng. Syslog devices usually do not generate timestamps or hostnames when the message is transmitted. The timestamps and hostnames in syslog files created by syslog server daemons are usually prepended by the server daemon when received.

Why are a timestamp and hostname prepended to my UDP input events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!