Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitoing remote file server log have \x00\
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoing remote file server log have \x00\
Usually first few line have issue, I suspect the Application still writing the log to the log file but splunk try to read the log file
Can we setup splunk to wait ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following worked for me a couple of times - How do I remove \x00 characters from my log message?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can not (easily) delay ingestion of data, but see this post for help:
https://answers.splunk.com/answers/705953/can-you-delay-a-universal-forwarder-from-ingesting.html#an...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, my splunk is Windows Server, and the log file we didnt install the agent to forward the log.
we just monitor it by file share
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn´t matter if forwarder or fileshare monitor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you give more details about your problem. An example probably.
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
example, in the index, i will see below event
1 . \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ................................................
2 .#Software: Microsoft Exchange Server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right. If you look at the url I posted you can see the solution -
Automatically at parsing ("indexing") time for any new data, in props.conf -
[yoursourcetype]
SEDCMD-remove_nulls = s/\\x00//g
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
