Getting Data In

Getting odd data uploaded to my Splunk

alanxu
Communicator

Hello,
I added to the .config file so whatever gets added to a folder will automatically be added to Splunk, however looking through my events I am getting weird characters that are not in the file that look like...

Last Name, First name\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00X\x00u\x00,\x00 \x00A\x00l\x00a\x00n\x00\x00\x00\x00\x00\x00\x00 \xB0~r\x00\x00\x00\x8A \x00V\x00i\x00s\x00a\x00 \x00I\x00n\x00c\x00.\x00\x00\x00\x00\x00\xB0~r\x00\x00\x00\x8C\x00X\x00u\x00,\x00 \x00A\x00l\x00a\x00n\x00\x00\x00\x00\x00\x00\x00\xB0~r\x00\x00\x00\x88oMj\xF0\D6Lj\xD7j

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

It's a mix of how your file is written and how Splunk is trying to understand it. Here's how you would tell Splunk to try to understand the file as UTF-16:

props.conf on the Splunk instance reading the file (usually a Universal Forwarder)
[your_sourcetype]
CHARSET = UTF-16

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

It's a mix of how your file is written and how Splunk is trying to understand it. Here's how you would tell Splunk to try to understand the file as UTF-16:

props.conf on the Splunk instance reading the file (usually a Universal Forwarder)
[your_sourcetype]
CHARSET = UTF-16

alanxu
Communicator

So in my \SplunkLightForwarder\default\props.conf

I added the lines
[Log]
CHARSET = UT-16

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

My bet is on two-byte UTF-16, I can spot a Xu, Alan in between all the zero-bytes.

0 Karma

alanxu
Communicator

Is there a reason why that comes up? Is it the type of file im updloading

0 Karma

acharlieh
Influencer

A few initial questions, are these binary files (excel files or whatnot) of some sort as opposed to "plain text"? Secondly, are you specifying the correct CHARSET for these files in props.conf (Are they ASCII files or are they a different encoding)?

0 Karma

alanxu
Communicator

They are .rtf files.

0 Karma

alanxu
Communicator

Hmm change props.config? So whats happening is that my file can be in a different format that is specified in the props.conf?

0 Karma

MuS
Legend

Or do you forward data using a universal forwarder and send it to a Splunk TCP port http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports instead the default Splunk receiving port http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Enableareceiver#Set_up_receiving

0 Karma

alanxu
Communicator

All I did was change the .config file

0 Karma

alanxu
Communicator

The inputs.config

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...