Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to set encoding of event on indexer cluster

xsstest
Communicator
‎07-10-2017 06:41 PM

hi,Please forgive my English

In my indexer cluster,The Chinese in the event shows that there is a coding problem, showing something like hexadecimal.

\x3A\xAB

I tried to set the sourcetype encoding on the index master node. Set up as follows:

vim /opt/splunk/etc/master-apps/_cluster/local/props.conf

[Firewall]
CHARSET = AUTO

Then distribute the bundle. And did not play any effect

I have also tried to adapt to the Chinese code:

[Firewall]
CHARSET = HZ

But it still does not have any effect

Why?
Is my method wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 12:04 AM

Where do you collect the data from? You should set the character encoding on the server / endpoint where you have the inputs.conf configured.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 12:04 AM

Where do you collect the data from? You should set the character encoding on the server / endpoint where you have the inputs.conf configured.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-11-2017 06:58 PM

Why is it encoding in inputs.conf, not props.conf? Are there any splunk documentation?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-11-2017 08:14 PM

Hi xsstest,

I reckon this is still the best place to read about Where do I configure my Splunk settings? http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings but if you prefer the docs page here it is http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 08:00 PM

Updated the comment, you're correct. It should be in props.conf. Set this on your UF where you ingest this and try: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configurecharactersetencoding

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-11-2017 01:37 AM

The UF forwarding data to the indexer cluster. I configure the encoding on all the indexers。Distribute bundles through the master node

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 02:50 AM

Encoding should be set on the UF, in the [inputs] configuration with a props on the UF.

This is because the data is already indexed on your indexers, and Splunk needs to understand what the encoding is before it indexes the data.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-10-2017 06:42 PM

the Firewall is a sourcetype~

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...