Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log messages about undiscovered character set and UTF-8 in metrics.log and splunkd.log

absreim
Explorer
‎02-04-2014 02:47 PM

Hi,

While conducting an analysis of bandwidth usage by Splunk 6 agents on two separate desktops, I noticed a discrepancy in the bandwidth usage by a factor of 2. After doing some research into the issue, I noticed that a large number of events concerning log entries in splunkd.log and metrics.log were being sent to the _internal index, and these events account for the vast majority of the bandwidth usage discrepancy.

Does anyone know what the log entries below mean? If so, how do I configure log.cfg to disable these informational entries?

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:51.651 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log|host::P-2UA3490YXK|splunkd|678"

Thanks

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2014 03:29 PM

That's interesting, over here I see UTF8Processor set to WARN by default (rootCategory in log.cfg)... that's on an indexer though. If that's not the case for your forwarder, you should be able to set this by either changing the existing override (search for category.UTF8Processor) or by adding an override for that category alongside all the other overrides that already are there, something like this:

...
[splunkd]
rootCategory=WARN,A1
category.UTF8Processor=INFO
category.AdminManagerKN=INFO
...
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 03:44 PM

I added it myself, it didn't exist before as well.

0 Karma
Reply

absreim
Explorer
‎02-07-2014 03:43 PM

This line doesn't exist in the configuration on our Splunk agents, which are version 6.0.0.

category.UTF8Processor=INFO

What version of the agent are you using?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...