hi,Please forgive my English
In my indexer cluster,The Chinese in the event shows that there is a coding problem, showing something like hexadecimal.
\x3A\xAB
I tried to set the sourcetype encoding on the index master node. Set up as follows:
vim /opt/splunk/etc/master-apps/_cluster/local/props.conf
[Firewall]
CHARSET = AUTO
Then distribute the bundle. And did not play any effect
I have also tried to adapt to the Chinese code:
[Firewall]
CHARSET = HZ
But it still does not have any effect
Why?
Is my method wrong?
Where do you collect the data from? You should set the character encoding on the server / endpoint where you have the inputs.conf configured.
Where do you collect the data from? You should set the character encoding on the server / endpoint where you have the inputs.conf configured.
Why is it encoding in inputs.conf, not props.conf? Are there any splunk documentation?
Hi xsstest,
I reckon this is still the best place to read about Where do I configure my Splunk settings?
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings but if you prefer the docs page here it is http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline
cheers, MuS
Updated the comment, you're correct. It should be in props.conf. Set this on your UF where you ingest this and try: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configurecharactersetencoding
The UF forwarding data to the indexer cluster. I configure the encoding on all the indexers。Distribute bundles through the master node
Encoding should be set on the UF, in the [inputs] configuration with a props on the UF.
This is because the data is already indexed on your indexers, and Splunk needs to understand what the encoding is before it indexes the data.
the Firewall is a sourcetype~