Why is my search resulting in "Regex: UTF-8 error...

saisrujan28 · ‎03-27-2018

| tstats count(host) as count WHERE index=*  earliest=-1d@d latest=@d by host|search [|inputlookup mylast|fields host]

When we use above query, we are getting this error "Regex: UTF-8 error: isolated byte with 0x80 bit set error " But we are able see data without any error if we are using this |inputlookup mylast.

p_gurav · ‎03-28-2018

csv file is in UTF-8 format right?

niketn · ‎03-27-2018

@saisrujan28 can you try the following and confirm?

| tstats count(host) as count WHERE index=*  earliest=-1d@d latest=@d AND [|inputlookup mylast.csv | table host] BY source

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

saisrujan28 · ‎03-28-2018

Sorry i am getting same error 😞

niketn · ‎03-28-2018

@saisrujan28, what happens when you run the inputlookup and tstats commands separately. Do they both run as expected?

|inputlookup mylast.csv | table host

And second search as

| tstats count(host) as count WHERE index=*

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

saisrujan28 · ‎06-13-2018

yes they working expected when we use them separately

niketn · ‎06-13-2018

@saisrujan28 check your lookup file again whether there is any special (non-UTF-8) character in it. You can paste the results to notepad and ensure only UTF-8 Characters are present. Or else you can try subset of hosts in your lookup file to pin point the hosat/s that are causing UTF-8 error.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Why is my search resulting in "Regex: UTF-8 error: isolated byte with 0x80 bit set error"

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!