Hi, I have heavy forwarder which sending data to indexers, at the same time it sending same data to Qradar SEIM. For indexer receiving data correctly with no issue. But when I am sending to Qradar system it appends extra header to packets with forwarders as the sending hosts and the time it was forwarded, not the original MPLS ASA time. I am using ‘syslog’ in the outputs.conf and This allows us to use “type = udp” which Qradar expects and prefers. If I use "no_appending_timestamp = true" in input.conf I am afraid that it will impact indexer sending also, which is currently working fine. My input.conf looks like: [monitor:///splunk/splunkdata/catch_all/.../*.log] sourcetype = syslog index = main host_segment = 4 recursive = true ignoreOlderThan = 3d disabled = false and outpu.conf with Qradar stanza [syslog:Qradar_Output] server = qradar server hostname:514 Can you please help me with setting where i can remove extra header for forwarder timestamp and host name without impacting my indexer receiving data. Thanks ... View more