Hi,
We are running into an issue where the Splunk eStreamer Technical Add-On keeps crashing when receiving events from our Cisco Firepower instance.
The exact error logs being observed on the Splunk side are as follows:
2021-12-17 09:19:23,377 root INFO 'latin-1' codec can't encode character '\u2013' in position 460: ordinal not in range(256)
2021-12-17 09:19:23,384 Writer ERROR [no message or attrs]: 'latin-1' codec can't encode character '\u2013' in position 460: ordinal not in range(256)\n'latin-1' codec can't encode character '\u2013' in position 460: ordinal not in range(256)Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/baseproc.py", line 209, in receiveInput\n self.onReceive( item )\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/baseproc.py", line 314, in onReceive\n self.onEvent( item )\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/pipeline.py", line 416, in onEvent\n write( item, self.settings )\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/pipeline.py", line 238, in write\n streams[ index ].write( event['payloads'][index] + delimiter )\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/streams/file.py", line 96, in write\n self.file.write( data.encode( self.encoding ).decode('utf-8') )\nUnicodeEncodeError: 'latin-1' codec can't encode character '\u2013' in position 460: ordinal not in range(256)\n
2021-12-17 09:19:23,384 Writer ERROR Message data too large. Enable debug if asked to do so.
2021-12-17 09:19:23,385 Writer INFO Error state. Clearing queue
We have also updated the TA to the latest version (4.8.3) as noted on the Splunk Add-On page for the app: https://splunkbase.splunk.com/app/3662/
On the HF side, we also increased number of worker processes from 4 to 8 which did not help.
Wondering if anyone experienced the same issues.
Let me know.
Thanks.