Getting Data In

Why is my rule for charset based on sourcetype not working?

Communicator

Hi,

I have Splunk 6.2.0 and some data, that looks like syslog - but encoded with ugly CP1250 charset.
I wrote a rule to change sourcetype from 'syslog' to 'era', after matching some pattern - it works. I wrote a rule to extract host from a new sourcetype ('era' - my own) - it works too.

I wrote a rule for 'era' sourcetype to change CP (CHARSET = CP1250) - it DOESN'T work.

When I try to add new data with my sourcetype 'era' (stage 2 of 4- I see the rule as in the screenshoot : http://oi62.tinypic.com/idi3q8.jpg , but charset is not applied)

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Make sure you set the charset on the machine that has the inputs.conf stanza for this data, likely your universal forwarders.

0 Karma

Communicator

EDIT:

Updated to 6.2.1.

If I explicitly set sourcetype to 'era' - before indexing; then charset is recognised.
If I set sourcetype to syslog (my 'era' logs are very similar to syslog) - rules work, but charset remains incorrect.

0 Karma