Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

UTF-8 characters - how to remove them automatically

dabroma5
Explorer
‎11-16-2023 03:50 AM

Hi, 

I am looking for a solution to remove UTF-8 character encoding from the logs

I have a regular expression that works in the search field, but I would like to find an automated solution for Splunk Cloud.

| rex mode=sed "s/\x1B\[[0-9;]*[mK]//g"

Sample log line:

2023-11-15 11:47:21,605 backend_2023.2.8: INFO  [-dispatcher-7] vip.service.northbound.MrpServiceakkaAddress=akka://backend, akkaUid=2193530468036521242 MRP Service is alive and active.

Any idea?

Thanks for help. 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-16-2023 05:30 AM

1. UTF-8 includes normal ASCII range. I don't think that's what you meant by "remove UTF-8 characters". UTF-8 is just an encoding.

2. What you're presenting are so called ANSI escape sequences.

3. Are you sure they are literarily in your logs or do you have them rendered and filtered already?

4. Ugh. Where are you getting those events from? It seems like capturing some terminal input instead of sending events as such. (BTW, you could try setting some dumb terminal type before starting your process so the service doesn't produce such ugly codes).

0 Karma
Reply

dabroma5
Explorer
‎11-17-2023 12:57 AM

This is what it looks like straight from the log file:

2023-11-15 11:47:21,605 backend_2023.2.8: INFO  [-dispatcher-7] vip.service.northbound.MrpService.serverakkaAddress=akka://backend, akkaUid=2193530468036521242 Server is alive - num conns = 0

of course it looks better from the terminal

dabroma5_0-1700211280882.png

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-17-2023 01:57 AM

To be honest, I'm not fully sure at which step of the pipeline (if any) those non-printable characters are escaped. I'll have to verify it.

But still - it would be best if you could make the source generate logs without the formating codes - they don't belong there. It's a presentation layer, those codes shouldn't be in the log entries.

0 Karma
Reply

dabroma5
Explorer
‎11-15-2023 04:51 AM

Hi

I have a log file which contains UTF-8 characters

"[1;33mWARN  [-dispatcher-6] " and so on.

Below regex works perfectly, but how to automate this solution

| rex mode=sed "s/\x1B\[[0-9;]*[mK]//g"

Thanks for your help.

0 Karma
Reply

dabroma5
Explorer
‎11-17-2023 06:03 AM

which one should I move to /opt/splunkforwarder/etc/system/local , and edit:

/opt/splunkforwarder/etc/system/default/props.conf
/opt/splunkforwarder/etc/apps/search/default/props.conf
/opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/props.conf
/opt/splunkforwarder/etc/apps/learned/local/props.conf
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/props.conf
/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_local/apps/learned/local/props.conf
/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_default/system/default/props.conf
/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_default/apps/search/default/props.conf
/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_default/apps/splunk_internal_metrics/default/props.conf
/opt/splunkforwarder/var/run/splunk/confsnapshot/baseline_default/apps/SplunkUniversalForwarder/default/props.conf

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2023 07:39 AM

None of those.  The SEDCMD setting must be on the indexer(s) and/or heavy forwarders.  It should go in the stanza where the sourcetype it goes with resides (if the file is in a default stanza then put the setting in the associated local directory).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dabroma5
Explorer
‎11-20-2023 12:31 AM

I can't make it work.

I found some explanation here:

https://community.splunk.com/t5/Getting-Data-In/How-to-replace-characters-in-logs-using-SEDCMD-in-pr...

but they said the change should be made in HF props.conf

I need to make it work on UF for Splunk Cloud

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2023 07:54 AM

Use that regex in SEDCMD in props.conf.

[mysourcetype]
SEDCMD-no_UTF-8 = s/\x1B\[[0-9;]*[mK]//g

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dabroma5
Explorer
‎11-17-2023 12:47 AM

Unfortunately, this is not an option for Splunk Cloud

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2023 05:23 AM

Splunk Cloud fully supports SEDCMD.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...