Monitoing remote file server log have \x00\

kennethyeung · ‎12-19-2018

Usually first few line have issue, I suspect the Application still writing the log to the log file but splunk try to read the log file

Can we setup splunk to wait ?

ddrillic · ‎12-20-2018

The following worked for me a couple of times - How do I remove \x00 characters from my log message?

dkeck · ‎12-19-2018

Hi,

you can not (easily) delay ingestion of data, but see this post for help:
https://answers.splunk.com/answers/705953/can-you-delay-a-universal-forwarder-from-ingesting.html#an...

kennethyeung · ‎12-20-2018

Thanks, my splunk is Windows Server, and the log file we didnt install the agent to forward the log.

we just monitor it by file share

dkeck · ‎12-20-2018

Doesn´t matter if forwarder or fileshare monitor.

sdchakraborty · ‎12-19-2018

Hi,

Can you give more details about your problem. An example probably.

Sid

kennethyeung · ‎12-20-2018

example, in the index, i will see below event
1 . \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ ................................................
2 .#Software: Microsoft Exchange Server

ddrillic · ‎12-20-2018

Right. If you look at the url I posted you can see the solution -

Automatically at parsing ("indexing") time for any new data, in props.conf -

    [yoursourcetype]
    SEDCMD-remove_nulls = s/\\x00//g

Monitoing remote file server log have \x00\

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

Monitoing remote file server log have \x00\

The All New Performance Insights for Splunk

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...