https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494456#M84419 <P>You're right, but ewwww, that's expected behaviour?</P> Wed, 06 May 2020 18:19:38 GMT BongoTheWhippet 2020-05-06T18:19:38Z https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494454#M84417 <P>On a Raspberry Pi 3 armv7l GNU/Linux, <CODE>INDEXED_EXTRACTIONS=JSON</CODE> in the <CODE>props.conf</CODE> file results in unrecoverable JSON StreamId processing errors:</P> <P><CODE>05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"<BR /> 05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"<BR /> 05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"</CODE></P> <P>with the log expanding so quickly, it fills up the <CODE>/opt/splunkforwarder/var/log/splunk/splunkd.log</CODE> to maximum logrotate capacity.</P> <P>Steps to duplicate bug:</P> <OL> <LI>Install <CODE>splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz</CODE> onto a Raspberry Pi 3.</LI> <LI><P>Edit the <CODE>/opt/splunkforwarder/etc/system/local/props.conf</CODE> and add the following code:</P> <P>[default]<BR /> SHOULD_LINEMERGE = false<BR /> KV_MODE = none<BR /> INDEXED_EXTRACTIONS=JSON<BR /> NO_BINARY_CHECK = true<BR /> TRUNCATE = 0</P></LI> <LI><P>Add a local JSON file to the splunk file monitor with <CODE>$SPLUNKHOME/bin/splunk add monitor /var/log/myvalidjsonfile.json -sourcetype json -host myhost -index myindex</CODE></P></LI> <LI><P>Restart splunk.</P></LI> <LI><P>Check the file <CODE>tail -f $SPLUNKHOME/var/log/splunk/splunkd.log</CODE></P></LI> <LI><P>Watch it scroll away off the screen! The errors above are reported for both <CODE>metrics.log</CODE> and the <CODE>splunkd.log</CODE> itself(!)</P></LI> <LI><P>Stop splunk.</P></LI> <LI><P>Edit <CODE>props.conf</CODE> again and remove the line <CODE>INDEXED_EXTRACTIONS=JSON</CODE>.</P></LI> <LI><P>Restart splunk.</P></LI> <LI><P>Your splunkd.log is back to normal again.</P></LI> </OL> Wed, 30 Sep 2020 05:22:30 GMT https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494454#M84417 BongoTheWhippet 2020-09-30T05:22:30Z https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494455#M84418 <P>so, i think what is happening is that you are adding that INDEXED_EXTRACTIONS=JSON to default, which will apply to every log the system is forwarding , and that includes the Splunk logs themselves (everything in $SPLUNK_HOME/var/log/splunk), which are not JSON formatted. </P> <P>you are better to use a specific sourcetype for your pi logs, and add the indexed extractions to that rather than in default. </P> <P>./D</P> Wed, 30 Sep 2020 05:19:06 GMT https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494455#M84418 darrenfuller 2020-09-30T05:19:06Z https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494456#M84419 <P>You're right, but ewwww, that's expected behaviour?</P> Wed, 06 May 2020 18:19:38 GMT https://community.splunk.com/t5/Getting-Data-In/Raspberry-Pi-Universal-Forwarder-Bug-Report-for-splunkforwarder/m-p/494456#M84419 BongoTheWhippet 2020-05-06T18:19:38Z