Hi everybody,

I have some problems with lookup tables based on CSV files. My environment consists in a central Splunk server (4.3), which works as indexer and searcher, and some universal forwarders deployed on remote machines (mainly Windows 2000/2003 servers). The Splunk server is installed on a Windows 2008 R2 operating system.

Since I am working with systems that produce logs also in Italian, I must deal with accented characters ("à", "è", etc.).

When I work with lookup tables, I generally use CSV files saved with UTF-8 encoding. However, in the case of time-based lookups, I am forced to use CSV files saved with ANSI (MS-Windows 1252) encoding, otherwise Splunk is not able to identify the timestamp column in the CSV file (I suppose it fails when reading header row).

When I use ANSI encoding, on the other hand, the lookup fails each time the output value contains any accented character, with the following error: [EventsViewer module] Unable to parse the result xml. Verify the character encoding of the results is correct

Could you give me any suggestions, please? I'm stuck in a dead-lock right now...