- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Failed to decode 1 byte
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failed to decode 1 byte
I am trying to index a new file and am first configuring the source type in the Data Preview screen, however although the records seem to be recognised ok, at the top of the screen I am getting the message "Failed to decode 1 bytes".
The props.conf entry for this source type will have the following parameters:
DATETIME_CONFIG=CURRENT
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TRUNCATE=0
The file contains no timestamps and I am only interested in indexing the file to be able to search the data (one line per event). I tried removing the lines
DATETIME_CONFIG=CURRENT
TRUNCATE=0
but still got the same message.
Can anyone indicate what may be causing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I got a similar error message "failed to decode 1 bytes; failed to decode 2 bytes". what´s wrong? after examining the input-file it shows, it is iso8859-1 encoded (first "special" char in line 400). after overwriting the props.conf in data preview
CHARSET=UTF8 (splunks guess)
with
CHARSET=ISO8859-1
removes the error message and splunk interprets (especially views the "special" char) the contents right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same error...
I have a log file with this content:
2013/10/04 15:40:05;PC301359;drussef;HEW2.exe;CFW70x_v12x - High-performance Embedded Workshop - [SoftPlc.c];,explorer.exe,HEW2.exe,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:11;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:17;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:23;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
2013/10/04 15:40:29;PC301359;drussef;HEW2.exe;EcxMonitor;,explorer.exe,,bacbeat.exe,bacbeat.exe,bacbeat.exe,explorer.exe,sidebar.exe,sidebar.exe,explorer.exe,explorer.exe,OUTLOOK.EXE,OUTLOOK.EXE,HEW2.exe
My props.conf:
[RUL]
NO_BINARY_CHECK = 1
pulldown_type = 1
CHECK_FOR_HEADER = false
REPORT-AutoHeader = AutoHeader-1
My transforms.conf:
[AutoHeader-1]
DELIMS = ";"
FIELDS = "TIMESTAMP", "HOSTNAME", "USERNAME", "PROCESS", "WINDOW", "OTHER_PROCESSES"
When I add a new input pointing to this log file, and choosing the RUL sourcetype I have a good preview:
File properties
Path /data/RUL.log
Bytes 1,420,726
number of events extracted 9,999
Event time distribution
10/4/13 3:00 PM10/8/13 11:00 AM
Event linecount distribution
lines per event # of events
1 9,999 (100%)
But at the top of the screen a have an error message:
"Failed to decode 1 bytes; Failed to decode 10 bytes"
After finhishing, trying to search on the RUL soucetype, appears that nothing become indexed.
PS. Runnuning Splunk 6.0
Thanks in advice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All
I am getting the same error can anyone please help me out in this.
Thanks
Gajanan
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
