https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293466#M55834 <P>There an upgrade on my problem:<BR /> I found that events are indexed but with a wrong year date Nov 22 2016 !<BR /> This is the indexed log</P> <PRE><CODE>Nov 22 16:35:23 xx.xx.xx.xx Nov 22 16:35:31 CRM-ACS-A1 CSCOacs_Failed_Attempts 0000991147 2 0 2017-11-22 16:35:31.951 +01:00 .... </CODE></PRE> <P>But the problem is now: why Splunk read a wrong year?<BR /> Year isn't declared in logs but both Indexers and HFs system date are correct (2017).</P> <P>Anyone has an idea where search the problem?</P> <P>Bye.<BR /> Giuseppe</P> Wed, 22 Nov 2017 15:45:21 GMT gcusello 2017-11-22T15:45:21Z https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293465#M55833 <P>HI at all I have a very strange thing:<BR /> I'm using Splunk 7.0.0 in all systems.<BR /> I have two Heavy Forwarders with a Load Balancer Netscaler in front of, that receive syslogs and send them to two Indexers.<BR /> There a Cisco ACS that sends syslogs to my HFs and it was running.</P> <P>Some time ago there was an upgrade of Cisco ACS so from that moment I don't receive more events.<BR /> Checking Splunk logs I found that I have in _internal from the HFs the following logs:</P> <PRE><CODE>11-22-2017 15:24:14.423 +0100 INFO Metrics - group=udpin_connections, xx.xx.xx.xx:514, sourcePort=514, _udp_bps=71.82, _udp_kbps=0.07, _udp_avg_thruput=0.08, _udp_kprocessed=27.53, _udp_eps=0.10 </CODE></PRE> <P>.</P> <PRE><CODE>11-22-2017 15:24:14.420 +0100 INFO Metrics - group=per_host_thruput, series="xx.xx.xx.xx", kbps=0.0650822688668127, eps=0.06451524038685016, kb=2.017578125, ev=2, avg_age=31536011.5, max_age=31536023 </CODE></PRE> <P>Where xx.xx.xx.xx is the HFs IP address.<BR /> And this means that HFs are receiving logs, but they aren't indexed.</P> <P>Anyone can help me to understand what's happening?</P> <P>Bye.<BR /> Giuseppe</P> Wed, 22 Nov 2017 14:59:32 GMT https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293465#M55833 gcusello 2017-11-22T14:59:32Z https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293466#M55834 <P>There an upgrade on my problem:<BR /> I found that events are indexed but with a wrong year date Nov 22 2016 !<BR /> This is the indexed log</P> <PRE><CODE>Nov 22 16:35:23 xx.xx.xx.xx Nov 22 16:35:31 CRM-ACS-A1 CSCOacs_Failed_Attempts 0000991147 2 0 2017-11-22 16:35:31.951 +01:00 .... </CODE></PRE> <P>But the problem is now: why Splunk read a wrong year?<BR /> Year isn't declared in logs but both Indexers and HFs system date are correct (2017).</P> <P>Anyone has an idea where search the problem?</P> <P>Bye.<BR /> Giuseppe</P> Wed, 22 Nov 2017 15:45:21 GMT https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293466#M55834 gcusello 2017-11-22T15:45:21Z https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293467#M55835 <P>I found the problem: I don't know why Splunk didn't use the first timestamp in stead used the second interpreting last number of IP address as year, so timestamp was the highlighted</P> <P>Nov 22 16:35:23 xx.xx.xx.<STRONG>16 Nov 22 16:35:31</STRONG> CRM-ACS-A1 CSCOacs_Failed_Attempts 0000991147 2 0 2017-11-22 16:35:31.951 +01:00 ....</P> <P>and event was indexed with timestamp<BR /> 2016-11-22 16:53:31</P> <P>This could be useful for others.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 16:56:22 GMT https://community.splunk.com/t5/Getting-Data-In/logs-by-udp-syslog/m-p/293467#M55835 gcusello 2020-09-29T16:56:22Z