https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17402#M2237 <P>I guess I should just keep trying. I figured out how to get it to work.</P> <P>in $SPLUNK_HOME/etc/system/local create props.conf</P> <P>props.conf </P> <P>[syslog] TRANSFORMS = syslog-header-stripper-ts-host REPORT-syslog = syslog-extractions</P> <P>In $SPLUNK_HOME/etc/system/local create transforms.conf</P> <P>transforms.conf</P> <P>[syslog-header-stripper-ts-host] REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]<EM>\s(.</EM>)$ FORMAT = $1 DEST_KEY = _raw</P> <P>Restart Splunk and it works</P> Thu, 15 Jul 2010 02:21:29 GMT bbear 2010-07-15T02:21:29Z https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17400#M2235 <P>Hi All,</P> <P>I have been trying to get Splunk to strip off the timestamp and host of forwarded events but do not understand how to do this.</P> <P>I have syslog-ng and Splunk on the same server. Syslog-ng is forwarding the events to udp port 1514 for Splunk to read and index. This all works fine. But the data Splunk receives has the timestamp and hostname of the syslog server in addition to the evendata host. I.E.</P> <P>Jul 14 14:15:56 10.128.213.50 Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900 </P> <P>Notice the additional timestamp above. I see in the docs and in the answers forum that this is possible to have Splunk strip this out before indexing, but I have not been able to get all the pieces worked out.</P> <P>Does someone know the answer that has worked this out already? I would like Splunk to strip the event to look like:</P> <P>Jul 14 14:15:56 my-host-int02 snmpd[7777]: Received SNMP packet(s) from UDP: [10.128.30.20]:54900 </P> Thu, 15 Jul 2010 01:19:20 GMT https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17400#M2235 bbear 2010-07-15T01:19:20Z https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17401#M2236 <P>You could do this by modifying the raw event text with a SEDCMD your props.conf (eg. $SPLUNK_HOME/etc/system/local/props.conf)</P> <PRE><CODE>[source::tcp:1514] SEDCMD-remove-dbl-date=s/^[A-Z][a-z]+\s+\d+\s+\d+:\d+:\d+\s+([A-Z][a-z]+\s+\d+\s+\d+:\d+:\d+\s+)/\1/g </CODE></PRE> Thu, 15 Jul 2010 02:18:57 GMT https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17401#M2236 ziegfried 2010-07-15T02:18:57Z https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17402#M2237 <P>I guess I should just keep trying. I figured out how to get it to work.</P> <P>in $SPLUNK_HOME/etc/system/local create props.conf</P> <P>props.conf </P> <P>[syslog] TRANSFORMS = syslog-header-stripper-ts-host REPORT-syslog = syslog-extractions</P> <P>In $SPLUNK_HOME/etc/system/local create transforms.conf</P> <P>transforms.conf</P> <P>[syslog-header-stripper-ts-host] REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]<EM>\s(.</EM>)$ FORMAT = $1 DEST_KEY = _raw</P> <P>Restart Splunk and it works</P> Thu, 15 Jul 2010 02:21:29 GMT https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17402#M2237 bbear 2010-07-15T02:21:29Z https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17403#M2238 <P>It would be best to avoid having the double added in the first place. In inputs.conf, under where you define the input port, add:</P> <PRE><CODE>no_appending_timestamp = true </CODE></PRE> <P>From inputs.conf.spec documentation file:</P> <PRE><CODE>no_appending_timestamp = true * If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events. * NOTE: Do NOT include this key if you want to append timestamp and host to received events. </CODE></PRE> Thu, 15 Jul 2010 05:51:57 GMT https://community.splunk.com/t5/Getting-Data-In/double-host-name-and-timestamps/m-p/17403#M2238 gkanapathy 2010-07-15T05:51:57Z