Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to set encoding of event on indexer cluster

xsstest
Communicator
‎07-10-2017 06:41 PM

hi,Please forgive my English

In my indexer cluster,The Chinese in the event shows that there is a coding problem, showing something like hexadecimal.

\x3A\xAB

I tried to set the sourcetype encoding on the index master node. Set up as follows:

vim /opt/splunk/etc/master-apps/_cluster/local/props.conf

[Firewall]
CHARSET = AUTO

Then distribute the bundle. And did not play any effect

I have also tried to adapt to the Chinese code:

[Firewall]
CHARSET = HZ

But it still does not have any effect

Why?
Is my method wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 12:04 AM

Where do you collect the data from? You should set the character encoding on the server / endpoint where you have the inputs.conf configured.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 12:04 AM

Where do you collect the data from? You should set the character encoding on the server / endpoint where you have the inputs.conf configured.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-11-2017 06:58 PM

Why is it encoding in inputs.conf, not props.conf? Are there any splunk documentation?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-11-2017 08:14 PM

Hi xsstest,

I reckon this is still the best place to read about Where do I configure my Splunk settings? http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings but if you prefer the docs page here it is http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 08:00 PM

Updated the comment, you're correct. It should be in props.conf. Set this on your UF where you ingest this and try: https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Data/Configurecharactersetencoding

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-11-2017 01:37 AM

The UF forwarding data to the indexer cluster. I configure the encoding on all the indexers。Distribute bundles through the master node

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 02:50 AM

Encoding should be set on the UF, in the [inputs] configuration with a props on the UF.

This is because the data is already indexed on your indexers, and Splunk needs to understand what the encoding is before it indexes the data.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-10-2017 06:42 PM

the Firewall is a sourcetype~

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...