Splunk shows ASCII numbers where I expect readable...

johan974 · ‎11-17-2020

I am new to this community, hope you can help. We use Splunk for years.

Symptom: we see ASCII numbers as search results, expecting readable texts. How can I get readable text?

Our Spring Boot applications run inside Docker containers. We log using e.g. log4j2.

When I use in my Spring Boot application the Spring log4j2.xml configuration file (see below) then log statements are readable (as plain text) in the Docker logs. When I try to read them in Splunk the message is shown like:

message=['123', '34' '116', ... ]

When I remove the log4j2.xml file, then all logs are readable again both in the Docker logs as in Splunk.

Why is this happening? How can I make the messages readable in Splunk?

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info">
    <Appenders>
        <Console name="Console-Appender" target="SYSTEM_OUT">
            <PatternLayout>
                <pattern>
                    [%-5level] %d{MM-dd HH:mm:ss.SSS} [%t] [%c{1} - %msg%n
                </pattern>
            </PatternLayout>
        </Console>
    </Appenders>
    <Loggers>
        <Logger name="nl.mycompany.xyz" level="info" additivity="false">
            <AppenderRef ref="Console-Appender" />
        </Logger>
        <Root>
            <AppenderRef ref="Console-Appender" />
        </Root>
    </Loggers>
</Configuration>

Splunk shows ASCII numbers where I expect readable text

form

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector