How do I search for accented characters?

DonaldvdHoogenb · ‎09-21-2017

Hi,

I have some text data with some accented characters in it.
However, I am not able to search them properly with a Splunk search query.

I have tested some stuff and I noticed the following:

This query works fine and returns the message I created:

| noop | stats count as message | eval message = "hęllo how are you" | search message=*ę*

This query does not work since it gives me 0 results (even though it should return 4 results, since there are 4 messages with this character in it:

index=twitter | search displayBody=*ę*

This query works like it's supposed to and returns many results:

index=twitter | search displayBody=*e*

Also other accented characters cannot be searched in my indexes: (é è ë etc..)
So it seems that Splunk recognizes these characters but I am not able to search them somehow...

Is there a setting of some sort to make sure I can search these characters in my indexes?

gcusello · ‎09-21-2017

Hi DonaldvdHoogenband,
did you tried with regex command instead search?
Bye.
Giuseppe

DonaldvdHoogenb · ‎09-21-2017

HI Giuseppe,

I tried with the following command: | regex _raw="ę"

This also returns 0 events.

Is there anything else I can try?

gcusello · ‎09-21-2017

try with

your_search | regex "\ę"

Bye.
Giuseppe

How do I search for accented characters?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...