Hi,
While conducting an analysis of bandwidth usage by Splunk 6 agents on two separate desktops, I noticed a discrepancy in the bandwidth usage by a factor of 2. After doing some research into the issue, I noticed that a large number of events concerning log entries in splunkd.log and metrics.log were being sent to the _internal index, and these events account for the vast majority of the bandwidth usage discrepancy.
Does anyone know what the log entries below mean? If so, how do I configure log.cfg to disable these informational entries?
01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"
01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"
01-30-2014 11:56:51.651 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log|host::P-2UA3490YXK|splunkd|678"
Thanks
That's interesting, over here I see UTF8Processor set to WARN by default (rootCategory in log.cfg)... that's on an indexer though. If that's not the case for your forwarder, you should be able to set this by either changing the existing override (search for category.UTF8Processor) or by adding an override for that category alongside all the other overrides that already are there, something like this:
...
[splunkd]
rootCategory=WARN,A1
category.UTF8Processor=INFO
category.AdminManagerKN=INFO
...
I added it myself, it didn't exist before as well.
This line doesn't exist in the configuration on our Splunk agents, which are version 6.0.0.
category.UTF8Processor=INFO
What version of the agent are you using?