I see some strange things happen.
I have added three devices to the Splunk Mikrotik environment.
1. RB750Gr3 as a router. (sending over UDP 514)
2. HAPac2 configured as a switch (Accesspoint) (sending over UDP 515)
3. Mikrotik CHR as Dude server. (sending over UDP 516)
Everything seems to log all information to splunk but after somtime the data of the HAPac2 is not examind any more by Splunk.
After restarting the splunk server Everything is OK again for a short time.
The Router and the DUDE server have no issues.
When i check the Splunkd.log file I see a lot "Failed to parse timestamp" messages for the HAPac2 syslog.
01-22-2019 09:46:45.504 +0100 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:515|host=192.168.0.8|syslog|
What can be wrong?
This morning I updated to version 2.6.
But I had this problem before. So it is not version related.