Monitoring Splunk

In Splunk, why am I getting the following error: "contains invalid UTF-8 encoding".

dkolekar_splunk
Splunk Employee
Splunk Employee

In the Splunk search head, while checking the Splunk status in the search head, I found the following messages continuously.

Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding 
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding 
Path component 't%E8%A7p%DE%88%3AAA-too_small' contains invalid UTF-8 encoding 

The same logs are found in splunkd.log. There is no business impact at the moment, but the logs are piling up with unwanted error messages.

Splunk product Information: Splunk Enterprise : 7.1.2
Recent activity in Splunk environment: Splunk Enterprise upgrade and multiple app installation & upgrade

What is the meaning of these messages, and from where it is coming?

Tags (1)
0 Karma
1 Solution

dkolekar_splunk
Splunk Employee
Splunk Employee

Answer

I found that the path from error message is a part of local.meta file in splunk learned app.

File location: $Splunk_Home/etc/app/learned/metadata/local.meta

[props/t%E8%A7p%DE%88%3AAA-too_small]
owner = nobody
version = 7.1.2
modtime = 1548958844.339375000

After renaming the stanza and restarting the splunk service, the issue got resolved.

More Information:

The local.meta is used in two major senses:
1. It is used in migration to help the process to determine if items need to be changed to remain compatible with the new version
2. It is used to dynamically handle backwards compatibility so that a new version can work with older formats.

Content of the .meta files:
1. .meta files contain ownership information, access controls, and export settings for Splunk objects like saved searches, event types, and views.
2. Each app has its own default.meta file.
3. local.meta has higher precedence over default.meta
4. Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Defaultmetaconf

What is 'Learned' app?
1. The learned app, it is unique to each instance, and dynamically populated.
2. Ithe n learned app, splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)
3. For splunk doc, kindly check the last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter

View solution in original post

dkolekar_splunk
Splunk Employee
Splunk Employee

Answer

I found that the path from error message is a part of local.meta file in splunk learned app.

File location: $Splunk_Home/etc/app/learned/metadata/local.meta

[props/t%E8%A7p%DE%88%3AAA-too_small]
owner = nobody
version = 7.1.2
modtime = 1548958844.339375000

After renaming the stanza and restarting the splunk service, the issue got resolved.

More Information:

The local.meta is used in two major senses:
1. It is used in migration to help the process to determine if items need to be changed to remain compatible with the new version
2. It is used to dynamically handle backwards compatibility so that a new version can work with older formats.

Content of the .meta files:
1. .meta files contain ownership information, access controls, and export settings for Splunk objects like saved searches, event types, and views.
2. Each app has its own default.meta file.
3. local.meta has higher precedence over default.meta
4. Splunk docs: http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Defaultmetaconf

What is 'Learned' app?
1. The learned app, it is unique to each instance, and dynamically populated.
2. Ithe n learned app, splunk store automatic sourcetypes (for each file that was monitored without specifying a sourcetype)
3. For splunk doc, kindly check the last remark of this page :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Whysourcetypesmatter

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...