All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are we seeing an additional date field created in indexed data?

yanivdutt
Explorer
‎04-13-2015 05:48 PM

Hi,

We are seeing data different in splunk than actual logs.

Switch - di1-c-qcy 10.xxx.xxx.xx below is data from n/w device

2015 Apr 13 12:58:38.864 di1-c-qcy-new %ARP-4-INVAL_IP:  arp [9746]  Received packet with invalid source IP address (127.0.0.2) from 7269.e253.0ac8 on Vlan373

below is data from syslog server 

Apr 13 12:58:39 10.xxx.xxx.xx 2015 Apr 13 12:58:39.622 PDT: %ARP-4-INVAL_IP:  arp [9746]  Received packet with invalid source IP address (127.0.0.2) from 7269.e253.0ac8 on Vlan373

below is what we are seeing on Splunk

alt text

Apr 13 12:58:39 10.153.142.16 2015 Apr 13 12:58:39.622 PDT: %ARP-4-INVAL_IP:  arp [9746]  Received packet with invalid source IP address (127.0.0.2) from 7269.e253.0ac8 on Vlan373" | table _time, host, _raw
Preview file
1 KB
0 Karma
Reply

mikaelbje
Motivator
‎04-13-2015 09:16 PM

If you are receiving the logs with a UDP input on your Splunk server you can add

no_appending_timestamp = true

To that input if you want to get rid of the extra timestamp. I usually don't do that since I trust the clock on the Splunk server more than the clock on the endpoint.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-13-2015 08:13 PM

What you're seeing in Splunk is identical to what's in syslog, except of course that syslog is configured to add it's own timestamp followed by the host. This makes sense I think. Presented with two timestamps to choose from, and without any specific config to tell it otherwise, Splunk then picks the first one, which is why the timestamp of the event in Splunk is the one rounded up by syslog, rather than the full precision timestamp with milliseconds from the device.

As to why the event from the device's logs has a timestamp that is almost a second earlier than what you're thinking is the same event in syslog, Is it possible that this simply isn't the same event? That there were two otherwise identical events on the same device within 800ms of eachother?

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...