https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122595#M33049 <P>Thank you! It works</P> Fri, 17 Jul 2015 05:37:03 GMT vinchakov_a 2015-07-17T05:37:03Z https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122591#M33045 <P>Why splunk adds the date and time to the beginning of a log. How to clean it?</P> <PRE><CODE>Jul 15 09:27:20 172.16.19.1 Jul 15 2015 10:27:20 us-fw01 : ... Jul 15 09:27:20 172.16.19.1 Jul 15 2015 10:27:20 us-fw01 : ... Jul 15 09:27:19 172.16.19.1 Jul 15 2015 10:27:19 us-fw01 : ... Jul 15 09:27:18 172.16.19.1 Jul 15 2015 10:27:18 us-fw01 : ... Jul 15 09:27:17 172.16.19.1 Jul 15 2015 10:27:17 us-fw01 : ... </CODE></PRE> Wed, 15 Jul 2015 06:34:10 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122591#M33045 vinchakov_a 2015-07-15T06:34:10Z https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122592#M33046 <P>It will be nearly impossible to help you without MUCH more information. Is this coming in as Syslog? What is in your <CODE>*.conf</CODE> files?</P> Wed, 15 Jul 2015 14:10:54 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122592#M33046 woodcock 2015-07-15T14:10:54Z https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122593#M33047 <P>Yes, this coming in as standard Syslog. </P> Fri, 17 Jul 2015 04:31:59 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122593#M33047 vinchakov_a 2015-07-17T04:31:59Z https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122594#M33048 <P>Go to <CODE>inputs.conf</CODE> under where you define the input port, add:</P> <PRE><CODE>no_appending_timestamp = true </CODE></PRE> <P>From <CODE>inputs.conf.spec</CODE> documentation file:</P> <PRE><CODE>no_appending_timestamp = [true|false] * If this attribute is set to true, Splunk does NOT append a timestamp and host to received events. * NOTE: Do NOT include this attribute if you want to append timestamp and host to received events. * Default is false. </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#inputs.conf.spec">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#inputs.conf.spec</A></P> Fri, 17 Jul 2015 05:13:03 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122594#M33048 woodcock 2015-07-17T05:13:03Z https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122595#M33049 <P>Thank you! It works</P> Fri, 17 Jul 2015 05:37:03 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122595#M33049 vinchakov_a 2015-07-17T05:37:03Z https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122596#M33050 <P>When you ask a question better, you get better answers!</P> Fri, 17 Jul 2015 06:13:00 GMT https://community.splunk.com/t5/Splunk-Search/timestamp-in-the-beginning/m-p/122596#M33050 woodcock 2015-07-17T06:13:00Z