Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does splunk adds a Timestamp to _raw if there already is a valid one.

pinVie
Path Finder
‎08-06-2015 04:40 AM

Hello,

I have the following problem and I don't really know where to look next in order to find the issue.

I have the following Setup. DataSource ----> Univerasl Forwarder ---> Heavy Forwarder --> Index
The Logs in Data Source look like this: Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]

After indexing the logs look like this: Aug 5 11:19:00 xx.xx.xx.xx Aug 5 09:19:44 dhcpd: DHCPACK on xx.xx.xx.xx to xx:xx:xx:xx:xx:xx (HOSTANME1) via xx.xx.xx.xxx [432000]

We used wireshark to look at the traffic and figured out that the UF is adding this additional timestamp+IP and I have no idea why it does that. Sourcetype is syslog.

Anybody knows this issue or is there any place I can look at, to figure this out ?

Thx a lot !!!

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎08-06-2015 09:41 AM

When using the SYSLOG forwarding feature in Splunk, the default behaviour is to prepend the forwarding hostname or IP address and the current timestamp.

For example:

# [inputs.conf][1]
no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host to received events.
* Default is false.

Of course, you'd have to examine the content of your outputs.conf as well. It is important to understand that is only applicable if forwarding SYSLOG.

To properly address this configuration item, it will be necessary to examine the configuration from each hop.

Makes sense?

0 Karma
Reply

pinVie
Path Finder
‎08-06-2015 11:12 PM

Makes a lot of sense - I'll try it as soon as I am in the office. Thx a lot !!

0 Karma
Reply

twinspop
Influencer
‎08-06-2015 09:33 AM

My guess is you're delivering the data via syslog (or syslog-like) services at some point in the data flow. Splunk has the option to disable timestamp prefixing with UDP inputs if you're using Splunk for the UDP input (presumably on the UF):

no_appending_timestamp = [true|false]

jon

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...