Description
We implemented logging from Zoom to our SPLUNK instance via Zoom Marketplace JWT app. Unfortunately in SPLUNK we are seeing lots of null chars and those are creating an issue during the ingestion of the logs.
It is causing our Splunk indexer to crash and stop injesting logs. We have to restart to get them flowing again.
Error
Please see an example below:
{"event": "meeting.sharing_ended", "payload": {"object": {"uuid": "r0pFZE8wS4+senRhu9f3sA==", "participant": {"id": "", "user_id": "16778240", "user_name": "f3sA==,,16778240\ \u0000\u0000\u0002\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000
<continued with the null characters for 20k or so>
Which App Type (OAuth / Chatbot / JWT / Webhook)?
Webhook
Which Endpoint/s?
Splunk
How To Reproduce (If applicable)
Steps to reproduce the behavior:
Enable the Splunk Zoom app and send logs to if via Zoom Webhook
Screenshots (If applicable)
If applicable, add screenshots to help explain your problem.
Additional context
We opened a ticket with zoom support and they told us they can’t help us and to reach out to the developer forum. Full details here with notes INC01298695.