Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log messages about undiscovered character set and UTF-8 in metrics.log and splunkd.log

absreim
Explorer
‎02-04-2014 02:47 PM

Hi,

While conducting an analysis of bandwidth usage by Splunk 6 agents on two separate desktops, I noticed a discrepancy in the bandwidth usage by a factor of 2. After doing some research into the issue, I noticed that a large number of events concerning log entries in splunkd.log and metrics.log were being sent to the _internal index, and these events account for the vast majority of the bandwidth usage discrepancy.

Does anyone know what the log entries below mean? If so, how do I configure log.cfg to disable these informational entries?

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:52.634 -0500 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log|host::P-2UA3490YXK|splunkd|659"

01-30-2014 11:56:51.651 -0500 INFO UTF8Processor - No charset was discovered with charset=auto setting from initial content. Using UTF-8 charset for "source::C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log|host::P-2UA3490YXK|splunkd|678"

Thanks

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-04-2014 03:29 PM

That's interesting, over here I see UTF8Processor set to WARN by default (rootCategory in log.cfg)... that's on an indexer though. If that's not the case for your forwarder, you should be able to set this by either changing the existing override (search for category.UTF8Processor) or by adding an override for that category alongside all the other overrides that already are there, something like this:

...
[splunkd]
rootCategory=WARN,A1
category.UTF8Processor=INFO
category.AdminManagerKN=INFO
...
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 03:44 PM

I added it myself, it didn't exist before as well.

0 Karma
Reply

absreim
Explorer
‎02-07-2014 03:43 PM

This line doesn't exist in the configuration on our Splunk agents, which are version 6.0.0.

category.UTF8Processor=INFO

What version of the agent are you using?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...