Monitoing remote file server log have \x00\

kennethyeung · ‎12-19-2018

Usually first few line have issue, I suspect the Application still writing the log to the log file but splunk try to read the log file

Can we setup splunk to wait ?

ddrillic · ‎12-20-2018

The following worked for me a couple of times - How do I remove \x00 characters from my log message?

dkeck · ‎12-19-2018

Hi,

you can not (easily) delay ingestion of data, but see this post for help:
https://answers.splunk.com/answers/705953/can-you-delay-a-universal-forwarder-from-ingesting.html#an...

kennethyeung · ‎12-20-2018

Thanks, my splunk is Windows Server, and the log file we didnt install the agent to forward the log.

we just monitor it by file share

dkeck · ‎12-20-2018

Doesn´t matter if forwarder or fileshare monitor.

sdchakraborty · ‎12-19-2018

Hi,

Can you give more details about your problem. An example probably.

Sid

kennethyeung · ‎12-20-2018

example, in the index, i will see below event
1 . \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ................................................
2 .#Software: Microsoft Exchange Server

ddrillic · ‎12-20-2018

Right. If you look at the url I posted you can see the solution -

Automatically at parsing ("indexing") time for any new data, in props.conf -

    [yoursourcetype]
    SEDCMD-remove_nulls = s/\\x00//g

Monitoing remote file server log have \x00\

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability