Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are some of the events garbled with "\x00"?

elusive
Splunk Employee
Splunk Employee
‎05-12-2010 03:29 PM

I am indexing some logs and I see some events are filled with "\x00" while some other events are indexed correctly.

Reply
1 Solution
Solved! Jump to solution
Solution

elusive
Splunk Employee
Splunk Employee
‎05-12-2010 03:37 PM

Such behavior is observed when Unix Splunk instance is indexing mounted Windows logs. Windows has a unique way of logging which Unix instance is not aware of causing to index with nulls "\x00". When indexing Windows logs such as iis, exchange, domain controller, and so on, install Splunk as a forwarder on the Windows box and have it forward to Unix Splunk indexer.

View solution in original post

Reply
Solved! Jump to solution

Jason
Motivator
‎07-23-2010 06:19 PM

Nope. UTF-16 turned a lot of the text into asian characters.

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎07-23-2010 03:16 PM

I'm seeing an input from windows onto unix having \x00 and some other unknown characters interspersed with the data. Is UTF-16 the answer to this?

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎07-14-2010 08:20 PM

Ideally, if you are having this symptom, you should be clear about the pattern of null characters (\x00). Are they interleaved with the expected data? Do they come in small bursts (ten bytes or so)? Are there several kilobytes worth of nulls all at once?

0 Karma
Reply
Solved! Jump to solution

Chris_R_
Splunk Employee
Splunk Employee
‎05-12-2010 05:31 PM

This also happens sometimes when the data your indexing is encoded with a different character set such as UTF-16

You can specify the charset in your props.conf
[somesourcetype]
CHARSET = UTF-16

Reply
Solved! Jump to solution

sshres5
Communicator
‎08-09-2016 09:44 AM

So, do we create props.conf on Forwarder TA or Indexer TA?

0 Karma
Reply
Solved! Jump to solution
Solution

elusive
Splunk Employee
Splunk Employee
‎05-12-2010 03:37 PM

Such behavior is observed when Unix Splunk instance is indexing mounted Windows logs. Windows has a unique way of logging which Unix instance is not aware of causing to index with nulls "\x00". When indexing Windows logs such as iis, exchange, domain controller, and so on, install Splunk as a forwarder on the Windows box and have it forward to Unix Splunk indexer.

Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top