Getting Data In

Log messages about undiscovered character set and UTF-8 in metrics.log and splunkd.log

absreim
Explorer

Hi,

While conducting an analysis of bandwidth usage by Splunk 6 agents on two separate desktops, I noticed a discrepancy in the bandwidth usage by a factor of 2. After doing some research into the issue, I noticed that a large number of events concerning log entries in splunkd.log and metrics.log were being sent to the _internal index, and these events account for the vast majority of the bandwidth usage discrepancy.

Does anyone know what the log entries below mean? If so, how do I configure log.cfg to disable these informational entries?

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:51.651 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log|host::P-2UA3490YXK|splunkd|678"

Thanks

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's interesting, over here I see UTF8Processor set to WARN by default (rootCategory in log.cfg)... that's on an indexer though. If that's not the case for your forwarder, you should be able to set this by either changing the existing override (search for category.UTF8Processor) or by adding an override for that category alongside all the other overrides that already are there, something like this:

...
[splunkd]
rootCategory=WARN,A1
category.UTF8Processor=INFO
category.AdminManagerKN=INFO
...
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I added it myself, it didn't exist before as well.

0 Karma

absreim
Explorer

This line doesn't exist in the configuration on our Splunk agents, which are version 6.0.0.

category.UTF8Processor=INFO

What version of the agent are you using?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!