How to edit my configurations to encode French spe...

Naaba · ‎02-27-2017

Hi,

I am importing data from Gitlab to Splunk.
The data imported are in French and contains special characters like é, à, è, ê.
Data imported in Splunk are not well encoded.

For example when importing "Définition" I got "D�finition" in Splunk

I tried to configure Splunk (props.conf) with others charsets (UTF-8, latin-1) but nothing works.

Can anyone help me please?

Thank you

aaraneta_splunk · ‎04-21-2017

@Naaba - Did the answer below or the comments above help resolve your issue? If yes, please "Accept" the answer below to close out your question. If it's a comment, please mark which comment it was so I can convert it to an answer to be accepted. If you still need help, please add an additional comment with some more feedback. Thanks.

woodcock · ‎02-28-2017

Read this first:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Configurecharactersetencoding

Now, have you tried this in props.conf:

[host::<YourFrenchHost>]
CHARSET=AUTO

Make sure that the line uses ALL-CAPS.

mdelwaide · ‎02-27-2017

Have you tried this encoding in your props.conf ?

[SOURCETYPE]
CHARSET=CP1252

ddrillic · ‎02-27-2017

You need to figure out the encoding of the source. The following tool helped me many times in the past - Encoding tool

So, you can capture one character from the source data and paste it in the tool's text box. Then you need to see whether it matches one of the encoding the tool supports.

How to edit my configurations to encode French special characters (é à ê è)?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team