https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286839#M54801 <P>Modify <CODE>inputs.conf</CODE> inside the stanza where you define the input port, add:</P> <PRE><CODE>no_appending_timestamp = true </CODE></PRE> <P>From inputs.conf.spec documentation file:</P> <PRE><CODE>no_appending_timestamp = true If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events. NOTE: Do NOT include this key if you want to append timestamp and host to received events. </CODE></PRE> <P>You will have to restart the splunk instances on your Forwarders.</P> Sat, 24 Oct 2015 18:04:04 GMT woodcock 2015-10-24T18:04:04Z https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286835#M54797 <P>Hey all.</P> <P>Trying to figure out how to clear up my issue. I'm getting two separate time stamps on a syslog entry coming from a Linux box.</P> <P>As you can see below, it is sending over the FQDN and short name as well.</P> <PRE><CODE>Oct 21 10:49:53 hyperion.btlab.test Oct 21 13:49:53 hyperion su: pam_unix(su-l:session): session opened for use </CODE></PRE> <P>Digging around, this looks to be a syslog (using rsyslog) setup.<BR /> Here is my line in rsyslog.conf</P> <P>authpriv.* @prometheus:514</P> <P>Pretty straight forward, but scratching my head as to why it is being sent over like that.</P> Wed, 21 Oct 2015 18:05:03 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286835#M54797 thecoffeeguy14 2015-10-21T18:05:03Z https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286836#M54798 <P>Check in the rsyslog.conf, what template is being used, line may look like below</P> <PRE><CODE>$ActionFileDefaultTemplate ..name..of the temp... </CODE></PRE> Wed, 21 Oct 2015 18:23:38 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286836#M54798 somesoni2 2015-10-21T18:23:38Z https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286837#M54799 <P>Heya.<BR /> Just was looking at that. Here is what is currently set in rsyslog.conf:</P> <P>$ActionFileDefaultTemplate RSYSLOG_FileFormat</P> <P>Just started to dig into the rsyslog guides to find out some more, see if i can resolve this.</P> Wed, 21 Oct 2015 18:29:11 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286837#M54799 thecoffeeguy14 2015-10-21T18:29:11Z https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286838#M54800 <P>This might be useful (setting up custom format)<BR /> <A href="http://unix.stackexchange.com/questions/103218/add-year-to-entries-generated-by-rsyslogd">http://unix.stackexchange.com/questions/103218/add-year-to-entries-generated-by-rsyslogd</A></P> Thu, 22 Oct 2015 21:58:24 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286838#M54800 somesoni2 2015-10-22T21:58:24Z https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286839#M54801 <P>Modify <CODE>inputs.conf</CODE> inside the stanza where you define the input port, add:</P> <PRE><CODE>no_appending_timestamp = true </CODE></PRE> <P>From inputs.conf.spec documentation file:</P> <PRE><CODE>no_appending_timestamp = true If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events. NOTE: Do NOT include this key if you want to append timestamp and host to received events. </CODE></PRE> <P>You will have to restart the splunk instances on your Forwarders.</P> Sat, 24 Oct 2015 18:04:04 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-two-time-stamps-in-a-syslog-entry-how-to-correct/m-p/286839#M54801 woodcock 2015-10-24T18:04:04Z