hello team!
We have this logs comming in a port 10162 (say that this is a kind of "syslog" but it comes with a lot of special characters :
I have been trying a lot of sourcetypes and sometimes the splunk took a little portion of the log, for example:
So finally I make a custom sourcetype but now the splunk dont process any event. The configuration of the sourcetype is:
binary_check is false
truncate is in 0
Thanks!
The values with \x are garbage values coming into splunk which is making logs looks unformated .
usage of sed command in props will remove those garbage value and make logs look formatted .
Please include below in your props and test it
[sourcetype]
SEDCMD-null = s/\x82//g
Hi @lightech1
Someone else might have a better answer than me, but I would make sure this parsing props is set - which should fix the wierd line breaking
SHOULD_LINEMERGE = false
As you have said, NO_BINARY_CHECK = false
should be also set on the place where data is ingested.
All the best