Failed to decode 1 byte

bob87 · ‎02-14-2013

I am trying to index a new file and am first configuring the source type in the Data Preview screen, however although the records seem to be recognised ok, at the top of the screen I am getting the message "Failed to decode 1 bytes".

The props.conf entry for this source type will have the following parameters:

DATETIME_CONFIG=CURRENT

NO_BINARY_CHECK=1

SHOULD_LINEMERGE=false

TRUNCATE=0

The file contains no timestamps and I am only interested in indexing the file to be able to search the data (one line per event). I tried removing the lines

DATETIME_CONFIG=CURRENT

TRUNCATE=0

but still got the same message.

Can anyone indicate what may be causing this?

nekb1958 · ‎03-05-2014

yes, I got a similar error message "failed to decode 1 bytes; failed to decode 2 bytes". what´s wrong? after examining the input-file it shows, it is iso8859-1 encoded (first "special" char in line 400). after overwriting the props.conf in data preview

CHARSET=UTF8 (splunks guess)
with
CHARSET=ISO8859-1

removes the error message and splunk interprets (especially views the "special" char) the contents right.

pierre_weg · ‎10-24-2013

Same error...

I have a log file with this content:
2013/10/04 15:40:05;PC301359;drussef;HEW2.exe;CFW70x_v12x - High-performance Embedded Workshop - [SoftPlc.c];,explorer.exe,HEW2.exe,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:11;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:17;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:23;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:29;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe

My props.conf:
[RUL]

NO_BINARY_CHECK = 1

pulldown_type = 1

CHECK_FOR_HEADER = false

REPORT-AutoHeader = AutoHeader-1

My transforms.conf:

[AutoHeader-1]

DELIMS = ";"

FIELDS = "TIMESTAMP", "HOSTNAME", "USERNAME", "PROCESS", "WINDOW", "OTHER_PROCESSES"

When I add a new input pointing to this log file, and choosing the RUL sourcetype I have a good preview:

File properties

Path /data/RUL.log

Bytes 1,420,726

number of events extracted 9,999

Event time distribution

10/4/13 3:00 PM10/8/13 11:00 AM

Event linecount distribution

lines per event # of events

1 9,999 (100%)

But at the top of the screen a have an error message:
"Failed to decode 1 bytes; Failed to decode 10 bytes"

After finhishing, trying to search on the RUL soucetype, appears that nothing become indexed.

PS. Runnuning Splunk 6.0

Thanks in advice.

gajananh999 · ‎06-14-2013

Dear All

I am getting the same error can anyone please help me out in this.

Thanks
Gajanan

Failed to decode 1 byte

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor