Getting Data In

Log messages about undiscovered character set and UTF-8 in metrics.log and splunkd.log

absreim
Explorer

Hi,

While conducting an analysis of bandwidth usage by Splunk 6 agents on two separate desktops, I noticed a discrepancy in the bandwidth usage by a factor of 2. After doing some research into the issue, I noticed that a large number of events concerning log entries in splunkd.log and metrics.log were being sent to the _internal index, and these events account for the vast majority of the bandwidth usage discrepancy.

Does anyone know what the log entries below mean? If so, how do I configure log.cfg to disable these informational entries?

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:51.651 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log|host::P-2UA3490YXK|splunkd|678"

Thanks

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's interesting, over here I see UTF8Processor set to WARN by default (rootCategory in log.cfg)... that's on an indexer though. If that's not the case for your forwarder, you should be able to set this by either changing the existing override (search for category.UTF8Processor) or by adding an override for that category alongside all the other overrides that already are there, something like this:

...
[splunkd]
rootCategory=WARN,A1
category.UTF8Processor=INFO
category.AdminManagerKN=INFO
...
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I added it myself, it didn't exist before as well.

0 Karma

absreim
Explorer

This line doesn't exist in the configuration on our Splunk agents, which are version 6.0.0.

category.UTF8Processor=INFO

What version of the agent are you using?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...