Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are some of the events garbled with "\x00"?

elusive
Splunk Employee
Splunk Employee
‎05-12-2010 03:29 PM

I am indexing some logs and I see some events are filled with "\x00" while some other events are indexed correctly.

Reply
1 Solution
Solved! Jump to solution
Solution

elusive
Splunk Employee
Splunk Employee
‎05-12-2010 03:37 PM

Such behavior is observed when Unix Splunk instance is indexing mounted Windows logs. Windows has a unique way of logging which Unix instance is not aware of causing to index with nulls "\x00". When indexing Windows logs such as iis, exchange, domain controller, and so on, install Splunk as a forwarder on the Windows box and have it forward to Unix Splunk indexer.

View solution in original post

Reply
Solved! Jump to solution

Jason
Motivator
‎07-23-2010 06:19 PM

Nope. UTF-16 turned a lot of the text into asian characters.

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎07-23-2010 03:16 PM

I'm seeing an input from windows onto unix having \x00 and some other unknown characters interspersed with the data. Is UTF-16 the answer to this?

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎07-14-2010 08:20 PM

Ideally, if you are having this symptom, you should be clear about the pattern of null characters (\x00). Are they interleaved with the expected data? Do they come in small bursts (ten bytes or so)? Are there several kilobytes worth of nulls all at once?

0 Karma
Reply
Solved! Jump to solution

Chris_R_
Splunk Employee
Splunk Employee
‎05-12-2010 05:31 PM

This also happens sometimes when the data your indexing is encoded with a different character set such as UTF-16

You can specify the charset in your props.conf
[somesourcetype]
CHARSET = UTF-16

Reply
Solved! Jump to solution

sshres5
Communicator
‎08-09-2016 09:44 AM

So, do we create props.conf on Forwarder TA or Indexer TA?

0 Karma
Reply
Solved! Jump to solution
Solution

elusive
Splunk Employee
Splunk Employee
‎05-12-2010 03:37 PM

Such behavior is observed when Unix Splunk instance is indexing mounted Windows logs. Windows has a unique way of logging which Unix instance is not aware of causing to index with nulls "\x00". When indexing Windows logs such as iis, exchange, domain controller, and so on, install Splunk as a forwarder on the Windows box and have it forward to Unix Splunk indexer.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...