Splunk Search

How to search on non-English keywords?

vj1226
New Member

Hello,
I have user logon logs from different countries, and some of their username contain non-English characters, such as Léo, LÓPEZ, PEÑA, etc. They cannot be found when using these characters in search command as keywords, nor using English substitutions like Leo, LOPEZ, PENA.

|search index="user_logon" username=Léo OR username=Leo

Is there any way to replace accented characters with English characters? We're having users from many countries(thus many charsets), so using regex to replace certain characters won't work very efficiently.

If I cannot replace them, will it be possible to make Splunk recognize these characters in search command so that I can search on them directly? For example, by editing props.conf and add a new stanza?

Thanks in advance,

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

See the answer here - https://answers.splunk.com/answers/516467/lookup-csv-with-nuai-characters-germanspanishfrenc.html

You probably need to verify the encoding you are using is appropriate to the range of potential values...

https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Configurecharactersetencoding

0 Karma

Azeemering
Builder

How is it displayed in the actual logifle that is indexed?

When I use quotes it works for me:

|search index="user_logon" username="Léo" OR username=Leo
I have tested this with my splunk instance and this works for me.

0 Karma

vj1226
New Member

Than you for your answer! However, it does not work with quotes neither. In actual logfile we have a field "Name" with all usernames like "Xxxx PEÑA" and "Léo XXXX"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...