In the Splunk search head, while checking the Splunk status in the search head, I found the following messages continuously.
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding
The same logs are found in splunkd.log. There is no business impact at the moment, but the logs are piling up with unwanted error messages.
Splunk product Information: Splunk Enterprise : 7.1.2
Recent activity in Splunk environment: Splunk Enterprise upgrade and multiple app installation & upgrade
What is the meaning of these messages, and from where it is coming?
Answer
I found that the path from error message is a part of local.meta file in splunk learned app.
File location: $Splunk_Home/etc/app/learned/metadata/local.meta
[props/t%E8%A7p%DE%88%3AAA-too_small]
owner = nobody
version = 7.1.2
modtime = 1548958844.339375000
After renaming the stanza and restarting the splunk service, the issue got resolved.
More Information:
The local.meta is used in two major senses:
1. It is used in migration to help the process to determine if items need to be changed to remain compatible with the new version
2. It is used to dynamically handle backwards compatibility so that a new version can work with older formats.
Content of the .meta files:
1. .meta files contain ownership information, access controls, and export settings for Splunk objects like saved searches, event types, and views.
2. Each app has its own default.meta file.
3. local.meta has higher precedence over default.meta
4. Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Defaultmetaconf
What is 'Learned' app?
1. The learned app, it is unique to each instance, and dynamically populated.
2. Ithe n learned app, splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)
3. For splunk doc, kindly check the last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter
Answer
I found that the path from error message is a part of local.meta file in splunk learned app.
File location: $Splunk_Home/etc/app/learned/metadata/local.meta
[props/t%E8%A7p%DE%88%3AAA-too_small]
owner = nobody
version = 7.1.2
modtime = 1548958844.339375000
After renaming the stanza and restarting the splunk service, the issue got resolved.
More Information:
The local.meta is used in two major senses:
1. It is used in migration to help the process to determine if items need to be changed to remain compatible with the new version
2. It is used to dynamically handle backwards compatibility so that a new version can work with older formats.
Content of the .meta files:
1. .meta files contain ownership information, access controls, and export settings for Splunk objects like saved searches, event types, and views.
2. Each app has its own default.meta file.
3. local.meta has higher precedence over default.meta
4. Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Defaultmetaconf
What is 'Learned' app?
1. The learned app, it is unique to each instance, and dynamically populated.
2. Ithe n learned app, splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)
3. For splunk doc, kindly check the last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter