Getting Data In

Why is my rule for charset based on sourcetype not working?



I have Splunk 6.2.0 and some data, that looks like syslog - but encoded with ugly CP1250 charset.
I wrote a rule to change sourcetype from 'syslog' to 'era', after matching some pattern - it works. I wrote a rule to extract host from a new sourcetype ('era' - my own) - it works too.

I wrote a rule for 'era' sourcetype to change CP (CHARSET = CP1250) - it DOESN'T work.

When I try to add new data with my sourcetype 'era' (stage 2 of 4- I see the rule as in the screenshoot : , but charset is not applied)

Tags (2)
0 Karma


Make sure you set the charset on the machine that has the inputs.conf stanza for this data, likely your universal forwarders.

0 Karma



Updated to 6.2.1.

If I explicitly set sourcetype to 'era' - before indexing; then charset is recognised.
If I set sourcetype to syslog (my 'era' logs are very similar to syslog) - rules work, but charset remains incorrect.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...