Solved: In Splunk, why am I getting the following error: "...

dkolekar_splunk · ‎03-03-2019

In the Splunk search head, while checking the Splunk status in the search head, I found the following messages continuously.

Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding 
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding 
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding

The same logs are found in splunkd.log. There is no business impact at the moment, but the logs are piling up with unwanted error messages.

Splunk product Information: Splunk Enterprise : 7.1.2
Recent activity in Splunk environment: Splunk Enterprise upgrade and multiple app installation & upgrade

What is the meaning of these messages, and from where it is coming?

dkolekar_splunk · ‎03-03-2019

Answer

I found that the path from error message is a part of local.meta file in splunk learned app.

File location: $Splunk_Home/etc/app/learned/metadata/local.meta

[props/t%E8%A7p%DE%88%3AAA-too_small]
owner = nobody
version = 7.1.2
modtime = 1548958844.339375000

After renaming the stanza and restarting the splunk service, the issue got resolved.

More Information:

The local.meta is used in two major senses:
1. It is used in migration to help the process to determine if items need to be changed to remain compatible with the new version
2. It is used to dynamically handle backwards compatibility so that a new version can work with older formats.

Content of the .meta files:
1. .meta files contain ownership information, access controls, and export settings for Splunk objects like saved searches, event types, and views.
2. Each app has its own default.meta file.
3. local.meta has higher precedence over default.meta
4. Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Defaultmetaconf

What is 'Learned' app?
1. The learned app, it is unique to each instance, and dynamically populated.
2. Ithe n learned app, splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)
3. For splunk doc, kindly check the last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter

View solution in original post

dkolekar_splunk · ‎03-03-2019

Answer

I found that the path from error message is a part of local.meta file in splunk learned app.

File location: $Splunk_Home/etc/app/learned/metadata/local.meta

[props/t%E8%A7p%DE%88%3AAA-too_small]
owner = nobody
version = 7.1.2
modtime = 1548958844.339375000

After renaming the stanza and restarting the splunk service, the issue got resolved.

More Information:

The local.meta is used in two major senses:
1. It is used in migration to help the process to determine if items need to be changed to remain compatible with the new version
2. It is used to dynamically handle backwards compatibility so that a new version can work with older formats.

Content of the .meta files:
1. .meta files contain ownership information, access controls, and export settings for Splunk objects like saved searches, event types, and views.
2. Each app has its own default.meta file.
3. local.meta has higher precedence over default.meta
4. Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Defaultmetaconf

What is 'Learned' app?
1. The learned app, it is unique to each instance, and dynamically populated.
2. Ithe n learned app, splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)
3. For splunk doc, kindly check the last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter

In Splunk, why am I getting the following error: "contains invalid UTF-8 encoding".

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!