how can i do to make this events into Splunk?

lightech1 · ‎01-31-2019

hello team!

We have this logs comming in a port 10162 (say that this is a kind of "syslog" but it comes with a lot of special characters :

I have been trying a lot of sourcetypes and sometimes the splunk took a little portion of the log, for example:

So finally I make a custom sourcetype but now the splunk dont process any event. The configuration of the sourcetype is:
binary_check is false
truncate is in 0

Thanks!

ssadanala1 · ‎01-31-2019

The values with \x are garbage values coming into splunk which is making logs looks unformated .

usage of sed command in props will remove those garbage value and make logs look formatted .

Please include below in your props and test it

[sourcetype]
SEDCMD-null = s/\x82//g

chrisyounger · ‎01-31-2019

Hi @lightech1

Someone else might have a better answer than me, but I would make sure this parsing props is set - which should fix the wierd line breaking

SHOULD_LINEMERGE = false

As you have said, NO_BINARY_CHECK = false should be also set on the place where data is ingested.

All the best

how can i do to make this events into Splunk?

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!