Getting Data In

Why is my rule for charset based on sourcetype not working?

lukasz92
Communicator

Hi,

I have Splunk 6.2.0 and some data, that looks like syslog - but encoded with ugly CP1250 charset.
I wrote a rule to change sourcetype from 'syslog' to 'era', after matching some pattern - it works. I wrote a rule to extract host from a new sourcetype ('era' - my own) - it works too.

I wrote a rule for 'era' sourcetype to change CP (CHARSET = CP1250) - it DOESN'T work.

When I try to add new data with my sourcetype 'era' (stage 2 of 4- I see the rule as in the screenshoot : http://oi62.tinypic.com/idi3q8.jpg , but charset is not applied)

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Make sure you set the charset on the machine that has the inputs.conf stanza for this data, likely your universal forwarders.

0 Karma

lukasz92
Communicator

EDIT:

Updated to 6.2.1.

If I explicitly set sourcetype to 'era' - before indexing; then charset is recognised.
If I set sourcetype to syslog (my 'era' logs are very similar to syslog) - rules work, but charset remains incorrect.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>