Splunk Search

Why is my search resulting in "Regex: UTF-8 error: isolated byte with 0x80 bit set error"

saisrujan28
Explorer
| tstats count(host) as count WHERE index=*  earliest=-1d@d latest=@d by host|search [|inputlookup mylast|fields host]

When we use above query, we are getting this error "Regex: UTF-8 error: isolated byte with 0x80 bit set error " But we are able see data without any error if we are using this |inputlookup mylast.

0 Karma

p_gurav
Champion

csv file is in UTF-8 format right?

0 Karma

niketn
Legend

@saisrujan28 can you try the following and confirm?

| tstats count(host) as count WHERE index=*  earliest=-1d@d latest=@d AND [|inputlookup mylast.csv | table host] BY source
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

saisrujan28
Explorer

Sorry i am getting same error 😞

0 Karma

niketn
Legend

@saisrujan28, what happens when you run the inputlookup and tstats commands separately. Do they both run as expected?

|inputlookup mylast.csv | table host

And second search as

| tstats count(host) as count WHERE index=* 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

saisrujan28
Explorer

yes they working expected when we use them separately

0 Karma

niketn
Legend

@saisrujan28 check your lookup file again whether there is any special (non-UTF-8) character in it. You can paste the results to notepad and ensure only UTF-8 Characters are present. Or else you can try subset of hosts in your lookup file to pin point the hosat/s that are causing UTF-8 error.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...