Solved: Recognizing Unicode

Stevelim · ‎03-31-2016

Hi there, I am in the problem where I am receiving a JSON data via TCP but I am unable to convert the unicode to the correct one.

For example:

Search string: sourcetype = 123, results =

APPLICATION_NAME:  ABC
ADDRESS: %u0e1b%u0e32%u0e01%u0e41%u0e1e%u0e23%u0e01

From what I understand, I should add under /etc/system/local/props.conf

[sourcetype::123]
CHARSET=TIS-620

With a command | extract reload=T, that should work.

Any idea? Heres the link to the unicode table if anyone is interested:

Stevelim · ‎04-01-2016

Found a workaround by having a macro:

| eval ADDRESS= replace(ADDRESS, "u0e01","ก")
| eval ADDRESS= replace(ADDRESS, "u0e02","ก")

.... Repeat for all 50ish characters

Tedious but it works. I believe the problem is that the server is not forwarding me in the correct unicode format, hence requiring the manual work.

Stevelim · ‎04-01-2016

Found a workaround by having a macro:

| eval ADDRESS= replace(ADDRESS, "u0e01","ก")
| eval ADDRESS= replace(ADDRESS, "u0e02","ก")

.... Repeat for all 50ish characters

Tedious but it works. I believe the problem is that the server is not forwarding me in the correct unicode format, hence requiring the manual work.

jmallorquin · ‎03-31-2016

Try to use the charset ISO-IR-166, after change the value, reboot splunk service.

Regards,

Stevelim · ‎03-31-2016

When I perform the change, will it take effect for indexed events or will that be for newer incoming events?

jmallorquin · ‎03-31-2016

Only affects new events.

Stevelim · ‎04-01-2016

Didn't work for us. Is the unicode supposed to be displayed as such with a percentage code in front?

Recognizing Unicode