Hello,
Reading in a file via inputs.confg, I have a text file I am reading in. The FIRST instances of reading in the file worked file, but subsequent reads are giving me this. Any idea whats up?
B\x00E\x00G\x00I\x00N\x00 \x00s\x00s\x00l\x00_\x00T\x00a\x00r\x00g\x00e\x00t\x00=\x00w\x00w\x00w\x00.\x00s\x00t\x00u\x00b\x00h\x00u\x00b\x00.\x00c\x00o\x00m\x00 \x00s\x00s\x00l\x00_\x00I\x00s\x00s\x00u\x00e\x00r\x00=\x00V\x00e\x00r\x00i\x00S\x00i\x00g\x00n\x00 \x00C\x00l\x00a\x00s\x00s\x00 \x003\x00 \x00E\x00x\x00t\x00e\x00n\x00d\x00e\x00d\x00 \x00V\x00a\x00l\x00i\x00d\x00a\x00t\x00i\x00o\x00n\x00 \x00S\x00S\x00L\x00 \x00C\x00A\x00 \x00W\x00r\x00i\x00t\x00e\x00-\x00H\x00o\x00s\x00t\x00 \x00s\x00s\x00l\x00_\x00P\x00o\x00r\x00t\x00=\x004\x004\x003\x00 \x00s\x00s\x00l\x00_\x00V\x00a\x00l\x00i\x00d\x00T\x00o\x00=\x008\x00-\x001\x003\x00-\x002\x000\x001\x005\x00 \x001\x001\x00:\x005\x009\x00:\x005\x009\x00 \x00P\x00M\x00 \x00s\x00s\x00l\x00_\x00V\x00a\x00l\x00i\x00d\x00F\x00r\x00o\x00m\x00=\x008\x00-\x001\x002\x00-\x002\x000\x001\x003\x00 \x001\x002\x00:\x000\x000\x00:\x000\x000\x00 \x00A\x00M\x00 \x00E\x00N\x00D\x00
\x00
This appears to just be a case of a misread character encoding. This file is saved in what Windows calls "Unicode" format, which is more specifically UTF-16LE. You can ensure that Splunk reads it that way by specifying in props.conf (in the same place where you keep the inputs.conf):
[mysourcetype]
CHARSET = utf-16le
substituting the sourcetype you are assigning in inputs.conf of course.
I've seen this on files that are active. Limiting the search to rolled files works good, but the data is old.
Looking forward to an answer.