https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66776#M13405 <P>Hi,</P> <P>as we know , before splunk eat a compressed file, splunk will decompress it first then index it. </P> <P>but, if we have many compressed files under the same directory (ex: ap_20110301.zip, ap_20110302.zip ...) and their original file name are the same (ex:ap.log), what will happen ? </P> <P>will splunk decompress all those files then index them ? or decompress and index one by one ? </P> <P>because their original file name are the same , if splunk decompress all of the files at first , it will overwrite existing files (actually, this is what we observed, but we want to make sure).</P> <P>thanks.</P> Thu, 24 Mar 2011 08:06:11 GMT dmlee 2011-03-24T08:06:11Z https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66776#M13405 <P>Hi,</P> <P>as we know , before splunk eat a compressed file, splunk will decompress it first then index it. </P> <P>but, if we have many compressed files under the same directory (ex: ap_20110301.zip, ap_20110302.zip ...) and their original file name are the same (ex:ap.log), what will happen ? </P> <P>will splunk decompress all those files then index them ? or decompress and index one by one ? </P> <P>because their original file name are the same , if splunk decompress all of the files at first , it will overwrite existing files (actually, this is what we observed, but we want to make sure).</P> <P>thanks.</P> Thu, 24 Mar 2011 08:06:11 GMT https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66776#M13405 dmlee 2011-03-24T08:06:11Z https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66777#M13406 <P>Splunk never actually decompresses the files within archives to a temporary location on disk. Instead we use a library called "libarchive" that allows us to stream through the contents of archives. These streamed contents are then indexed.</P> Thu, 24 Mar 2011 08:56:54 GMT https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66777#M13406 Stephen_Sorkin 2011-03-24T08:56:54Z https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66778#M13407 <P>lessons learned, thanks</P> Thu, 24 Mar 2011 13:29:12 GMT https://community.splunk.com/t5/Getting-Data-In/load-compressed-files/m-p/66778#M13407 dmlee 2011-03-24T13:29:12Z