Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup tables: encoding and accented characters

mas
Path Finder
‎05-10-2012 02:34 AM

Hi everybody,

I have some problems with lookup tables based on CSV files. My environment consists in a central Splunk server (4.3), which works as indexer and searcher, and some universal forwarders deployed on remote machines (mainly Windows 2000/2003 servers). The Splunk server is installed on a Windows 2008 R2 operating system.

Since I am working with systems that produce logs also in Italian, I must deal with accented characters ("à", "è", etc.).

When I work with lookup tables, I generally use CSV files saved with UTF-8 encoding. However, in the case of time-based lookups, I am forced to use CSV files saved with ANSI (MS-Windows 1252) encoding, otherwise Splunk is not able to identify the timestamp column in the CSV file (I suppose it fails when reading header row).

When I use ANSI encoding, on the other hand, the lookup fails each time the output value contains any accented character, with the following error: [EventsViewer module] Unable to parse the result xml. Verify the character encoding of the results is correct

Could you give me any suggestions, please? I'm stuck in a dead-lock right now...

Reply

esix_splunk
Splunk Employee
Splunk Employee
‎09-06-2016 07:14 PM

Upgrade to the latest version. 4.3 had a lot of bugs, especially with non-unicode characters.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...