Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Recognizing Unicode
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stevelim
Communicator
03-31-2016
12:42 AM
Hi there, I am in the problem where I am receiving a JSON data via TCP but I am unable to convert the unicode to the correct one.
For example:
Search string: sourcetype = 123, results =
APPLICATION_NAME: ABC
ADDRESS: %u0e1b%u0e32%u0e01%u0e41%u0e1e%u0e23%u0e01
From what I understand, I should add under /etc/system/local/props.conf
[sourcetype::123]
CHARSET=TIS-620
With a command | extract reload=T, that should work.
Any idea? Heres the link to the unicode table if anyone is interested:
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stevelim
Communicator
04-01-2016
06:34 AM
Found a workaround by having a macro:
| eval ADDRESS= replace(ADDRESS, "u0e01","ก")
| eval ADDRESS= replace(ADDRESS, "u0e02","ก")
.... Repeat for all 50ish characters
Tedious but it works. I believe the problem is that the server is not forwarding me in the correct unicode format, hence requiring the manual work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stevelim
Communicator
04-01-2016
06:34 AM
Found a workaround by having a macro:
| eval ADDRESS= replace(ADDRESS, "u0e01","ก")
| eval ADDRESS= replace(ADDRESS, "u0e02","ก")
.... Repeat for all 50ish characters
Tedious but it works. I believe the problem is that the server is not forwarding me in the correct unicode format, hence requiring the manual work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jmallorquin
Builder
03-31-2016
03:50 AM
Try to use the charset ISO-IR-166, after change the value, reboot splunk service.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stevelim
Communicator
03-31-2016
04:15 AM
When I perform the change, will it take effect for indexed events or will that be for newer incoming events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jmallorquin
Builder
03-31-2016
04:18 AM
Only affects new events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stevelim
Communicator
04-01-2016
12:51 AM
Didn't work for us. Is the unicode supposed to be displayed as such with a percentage code in front?
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
Maximizing the Value of Splunk ES 8.x
Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
