I have some text data with some accented characters in it.
However, I am not able to search them properly with a Splunk search query.
I have tested some stuff and I noticed the following:
This query works fine and returns the message I created:
| noop | stats count as message | eval message = "hęllo how are you" | search message=*ę*
This query does not work since it gives me 0 results (even though it should return 4 results, since there are 4 messages with this character in it:
index=twitter | search displayBody=*ę*
This query works like it's supposed to and returns many results:
index=twitter | search displayBody=*e*
Also other accented characters cannot be searched in my indexes: (é è ë etc..)
So it seems that Splunk recognizes these characters but I am not able to search them somehow...
Is there a setting of some sort to make sure I can search these characters in my indexes?
did you tried with regex command instead search?
I tried with the following command: | regex _raw="ę"
This also returns 0 events.
Is there anything else I can try?
your_search | regex "\ę"