Forums: SplunkAdministration: Strange Events

Previous Topic: defaultdb and _internaldb: sizes increasing on the deployment server  |   Next Topic: New download needs License


Posts 1–4 of 4  |  Post to this topic
1
mborner's Mugshot posted by: mborner  |  posts
date: November 10, 2008
permalink

I have events like these in the splunk frontend:

\x00jaWFsIG

or

\x00dows-1251?B?WW91ciBjb25maXJtYXRpb24gcmVxaXJlZA==?=

But there is no \x0 in my logfiles.

The logfile consists of very long lines (I've seen over 2000 characters per line).

It looks like some lines are truncated and the second part creates a new event preceding with \x0

I then tried to set TRUNCATE = 0, without any success...

[ecsieve]
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = false
TRUNCATE = 0

2
araitz's Mugshot posted by: araitz  |  posts
date: November 10, 2008
permalink

This probably has to do with the application padding the file with binary nulls:

http://www.splunk.com/doc/latest/releasenotes/KnownIssues#Windowsspecificconsiderationsandknownissues

"Some applications, such as IIS, will pre-allocate disk space for log files by padding them with binary null characters. (SPL-14682)"

3
Burana400's Mugshot posted by: Burana400  |  posts
date: November 10, 2008
permalink

Nope... this is on a Unix Box and I checked that the is no \x0 character in the file....

4
araitz's Mugshot posted by: araitz  |  posts
date: November 10, 2008
permalink

What application is logging this file? You won't see the binary nulls because they are eventually overwritten by the data that the nulls were padding for.

Post to this topic

You must be logged in to post a reply.










close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: