In order to import log files in Shift JIS format, it is necessary to create a configuration file that specifies the encoding type in advance.

• First, decide the "source type" that you plan to set for the log file to be imported. For example, for a web application, use "webapp".
• Create a "props.conf" file in the "system\local" folder under the Splunk installation folder, and enter the following.
  [webapp]
  CHARSET=SHIFT-JIS
  *The above setting indicates that when reading a file specified as webapp in the source type, SHIFT-JIS is explicitly converted to UTF-8 used for internal processing. Similarly, for EUC-JP log files, set CHARSET=EUC-JP.
• After entering the settings in props.conf, restart Splunk or use the search command "| extract reload=t" to reflect the above settings.
  * When editing props.conf directly, by entering "| extract reload=t" as a search command and searching, the configuration file will be read and reflected.
• When specifying the log file on the Splunk management screen, data input, select [Manual] in "Source type set". And in "Source type", enter the source type specified in props.conf above. For this example, enter "webapp".

Note that garbled characters that occur when importing without the above settings will not be resolved. Sorry to trouble you, but you need to import the event again.