Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SplunkForwarder garble events with \x00

berndg
Engager
‎07-04-2013 05:40 AM

I observe a strange behavior with one of out UniversalForwarders.

First I've added a new logfile on the forwarder with CLI. Events looks good on a search.

After that I'vre removed the monitor and re-added with "-sourcetype cerberus-ftp".

Result: Events are not encoded anymore:

\x00[\x002\x000\x001\x003\x00-\x000\x007\x00-\x000\x004\x00 \x001\x004\x00:\x002\x005\x00:\x003\x003\x00]\x00:\x00C\x00O\x00N\x00N\x00E\x00C\x00T\x00 \x00[\x00 \x00 \x001\x003\x007\x000\x00]\x00 \x00-\x00 \x00T\x00h\x00e\x00 \x00c\x00l\x00i\x00e\x00n\x00t\x00 \x00c\x00l\x00o\x00s\x00e\x00d\x00 \x00t\x00h\x00e\x00 \x00c\x00o\x00n\x00n\x00e\x00c\x00t\x00i\x00o\x00n\x00

I've tried to add "CHARSET = UTF-16" to props.conf. Nothing changed.

If I remove the monitor and add without the sourcetype specified the event is displayed correctly.

Our Setup:

  • Windows SplunkForwarder 5.0.2
  • Linux Indexer 5.0.1
  • Linux SearchHead 5.0.1

Some ideas how to fix the encoding and why the specification of the sourcetype change it?

Reply

josh_beverly
Explorer
‎09-19-2018 08:53 AM

Did you ever get a solution to this? Also, I assume this is for logs for cerberus ftp? If so could you please provide your solution for getting the logs from cerberus?

Thanks,

0 Karma
Reply

russellliss
Path Finder
‎01-22-2014 12:20 PM

I had the exact same issue. No matter what I changed the sourcetype to, unless it was "server", which is the default, I got those characters coming through.

I even tried the charset suggestion from here http://answers.splunk.com/answers/24484/sql-server-errorlog, but then on one server I started to get even stranger results.

Only seems to happen with the Cerberus FTP log file though.

0 Karma
Reply

jonthanze
Explorer
‎10-02-2013 03:12 AM

Can you please share your input and props conf files ? I have the same issue with the same architecture and i cannot solve it

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...