Hi all,
I have a UDP port 1514 which I forward syslog data to (It is a homelab, I am aware a syslog server with forwarder would be better).
My current config in /opt/splunk/etc/apps/search/local/inputs.conf is:
[udp://1514]
connection_host = ip
index = syslog
sourcetype = syslog
But now, logs are coming in as:
<pre>Sep 15 21:12:10 10.0.60.1 Sep 15 20:13:28 HOSTNAME dnsmasq[28957]: reply apps[.]splunk[.]com is 54.186.82.128</pre>
So I would like to not prepend the log with the timestamp. Several resources indicate that I should add "no_appending_timestamp = true" to my config. Which would make it the following:
[udp://1514]
connection_host = ip
index = syslog
sourcetype = syslog
no_appending_timestamp = true
But when I do this, the logs are not coming in anymore (at least, I cannot query them).
Does someone know what the problem is?
... View more