Trying to figure out how to clear up my issue. I'm getting two separate time stamps on a syslog entry coming from a Linux box.
As you can see below, it is sending over the FQDN and short name as well.
Oct 21 10:49:53 hyperion.btlab.test Oct 21 13:49:53 hyperion su: pam_unix(su-l:session): session opened for use
Digging around, this looks to be a syslog (using rsyslog) setup.
Here is my line in rsyslog.conf
Pretty straight forward, but scratching my head as to why it is being sent over like that.
Check in the rsyslog.conf, what template is being used, line may look like below
$ActionFileDefaultTemplate ..name..of the temp...
Just was looking at that. Here is what is currently set in rsyslog.conf:
Just started to dig into the rsyslog guides to find out some more, see if i can resolve this.
inputs.conf inside the stanza where you define the input port, add:
no_appending_timestamp = true
From inputs.conf.spec documentation file:
no_appending_timestamp = true If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events. NOTE: Do NOT include this key if you want to append timestamp and host to received events.
You will have to restart the splunk instances on your Forwarders.