topic Re: Monitoing remote file server log have \x00\ in Getting Data In

Monitoing remote file server log have \x00\

kennethyeung — Thu, 20 Dec 2018 01:54:42 GMT

Usually first few line have issue, I suspect the Application still writing the log to the log file but splunk try to read the log file

Can we setup splunk to wait ?

Re: Monitoing remote file server log have \x00\

sdchakraborty — Thu, 20 Dec 2018 06:06:34 GMT

Hi,

Can you give more details about your problem. An example probably.

Sid

Re: Monitoing remote file server log have \x00\

dkeck — Thu, 20 Dec 2018 06:49:27 GMT

Hi,

you can not (easily) delay ingestion of data, but see this post for help:
https://answers.splunk.com/answers/705953/can-you-delay-a-universal-forwarder-from-ingesting.html#answer-708749

Re: Monitoing remote file server log have \x00\

kennethyeung — Thu, 20 Dec 2018 08:15:23 GMT

example, in the index, i will see below event
1 . \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ................................................
2 .#Software: Microsoft Exchange Server

Re: Monitoing remote file server log have \x00\

kennethyeung — Thu, 20 Dec 2018 08:16:49 GMT

Thanks, my splunk is Windows Server, and the log file we didnt install the agent to forward the log.

we just monitor it by file share

Re: Monitoing remote file server log have \x00\

dkeck — Thu, 20 Dec 2018 08:52:33 GMT

Doesn´t matter if forwarder or fileshare monitor.

Re: Monitoing remote file server log have \x00\

ddrillic — Thu, 20 Dec 2018 14:04:43 GMT

The following worked for me a couple of times - How do I remove \x00 characters from my log message?

Re: Monitoing remote file server log have \x00\

ddrillic — Thu, 20 Dec 2018 16:56:51 GMT

Right. If you look at the url I posted you can see the solution -

Automatically at parsing ("indexing") time for any new data, in props.conf -

    [yoursourcetype]
    SEDCMD-remove_nulls = s/\\x00//g