Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to stop getting garbage HEXA ASCII logs from log source?

pm2012
Explorer
‎06-06-2023 11:23 PM

Hi SMEs,

I am getting some garbage/hexa format/ASCII format logs from one of the log source integrated with Splunk, it is customized linux platform and been integrated using TCP input. Sharing the sample log below. Seeking suggestions to find and fix it. thanks in advance 

pm2012_0-1686118951686.png

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-07-2023 02:05 AM

Hi

I suppose that your source file contains UTF16-LE characters? If so you must add encoding information to props.conf on HF side.

Here is couple of old answers which clarify this quite well

r. Ismo

0 Karma
Reply

pm2012
Explorer
‎06-07-2023 04:32 AM

thanks @isoutamo 

Just last doubt, how to check which format is it and which is supposed to be like UTF-18 or something else 

pm2012_0-1686137568328.png

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-07-2023 05:34 AM

You can use command file in linux see: https://www.shellhacks.com/linux-check-change-file-encoding/

Usually Splunk wants to use UTF-8 encoding.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-06-2023 11:35 PM

How have you configured the input?

0 Karma
Reply

pm2012
Explorer
‎06-06-2023 11:44 PM

@ITWhisperer  Input are configured using TCP at HF and logs are being sent using rsyslog.conf input parameters having needed filename. Logs are being sent to customized TCP port 615xx. Created multiple inputs for each filepath defined in rsyslog.conf

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2023 12:20 AM

Please can you share the config?

0 Karma
Reply

pm2012
Explorer
‎06-07-2023 12:51 AM

Here is the rsyslog.conf file appended config, where 10.10.10.10 is Splunk HF IP and defined ports being used for log collection against TCP inputs.

 

##############Splunk#############

$InputFileName /var/SharedStorage/dl_logs/hostname01.com/dl_security/*
$InputFileTag dl-dl_security-log
$InputFileStateFile dl-dl_security-log
$InputFileSeverity error
$InputFileFacility local9
$InputRunFileMonitor

$InputFileName /var/SharedStorage/dl_logs/hostname01.com/pacemaker/*
$InputFileTag dl-pacemaker-log
$InputFileStateFile dl-pacemaker-log
$InputFileSeverity error
$InputFileFacility local9
$InputRunFileMonitor



$InputFilePollInterval 10


$template cmdlogsTemplate,"<dl> %timereported:::date-year%-%timereported:::date-month%-%timereported:::date-day% %timereported:::date-hour%:%timereported:::date-minute%:%timereported:::date-second% %HOSTNAME% %syslogtag% %msg% \n "

if $programname == 'dl-dl_security-log' then @@10.10.10.10:61515;cmdlogsTemplate
& ~
if $programname == 'dl-pacemaker-log' then @@10.10.10.10:61516;cmdlogsTemplate

*.* @@10.10.10.10:61500
#########################

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...