https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154910#M31480 <P>Here's a more readable version:</P> <P>Here is inputs.conf:</P> <PRE><CODE>[monitor:///var/cool_csv_logs/file.csv] disabled = 0 followTail = 0 host = some_host index = scratch sourcetype = cool_csv </CODE></PRE> <P>and props.conf:</P> <PRE><CODE>[cool_csv] SHOULD_LINEMERGE = false pulldown_type = true INDEXED_EXTRACTIONS = csv KV_MODE = node category = Structured invalid_cause = archive [source::/var/cool_csv_logs/file.csv] unarchive_cmd = /opt/splunk/bin/convert.pl </CODE></PRE> <P>... should be changed to <CODE>file.log</CODE></P> Tue, 09 Dec 2014 00:36:17 GMT dmillis 2014-12-09T00:36:17Z https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154908#M31478 <P>In 6.2.0, I have written a pre-processor script for a particular CSV log format, to produce a useable timestamp. The script is designed to be used as a 'unarchive_cmd' script for the input. I.e., from the CLI, it functions like this:<BR /> <CODE>cat | convert.pl</CODE></P> <P>The problem: no matter how much I play with inputs.conf and props.conf, the <CODE>unarchive_cmd</CODE> is ignored. Here is inputs.conf:<BR /> <CODE>[monitor:///var/cool_csv_logs/file.csv]<BR /> disabled = 0<BR /> followTail = 0<BR /> host = some_host<BR /> index = scratch<BR /> sourcetype = cool_csv</CODE><BR /> and props.conf:<BR /> `[cool_csv]<BR /> SHOULD_LINEMERGE = false<BR /> pulldown_type = true<BR /> INDEXED_EXTRACTIONS = csv<BR /> KV_MODE = node<BR /> category = Structured<BR /> invalid_cause = archive</P> <P>[source::/var/cool_csv_logs/file.csv]<BR /> unarchive_cmd = /opt/splunk/bin/convert.pl`</P> <P>Why is the <CODE>unarchive_cmd</CODE> not working?</P> Mon, 28 Sep 2020 18:24:38 GMT https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154908#M31478 dmillis 2020-09-28T18:24:38Z https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154909#M31479 <P>Well, David, it turns out that you cannot use a file suffix of <CODE>.csv</CODE> (or <CODE>.txt</CODE>) with unarchive_cmd.</P> <P>Try changing your source filename to <CODE>file.log</CODE></P> <P>(This works!)</P> Tue, 09 Dec 2014 00:03:30 GMT https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154909#M31479 dmillis 2014-12-09T00:03:30Z https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154910#M31480 <P>Here's a more readable version:</P> <P>Here is inputs.conf:</P> <PRE><CODE>[monitor:///var/cool_csv_logs/file.csv] disabled = 0 followTail = 0 host = some_host index = scratch sourcetype = cool_csv </CODE></PRE> <P>and props.conf:</P> <PRE><CODE>[cool_csv] SHOULD_LINEMERGE = false pulldown_type = true INDEXED_EXTRACTIONS = csv KV_MODE = node category = Structured invalid_cause = archive [source::/var/cool_csv_logs/file.csv] unarchive_cmd = /opt/splunk/bin/convert.pl </CODE></PRE> <P>... should be changed to <CODE>file.log</CODE></P> Tue, 09 Dec 2014 00:36:17 GMT https://community.splunk.com/t5/Getting-Data-In/unarchive-cmd-doesn-t-work-for-CSV-file/m-p/154910#M31480 dmillis 2014-12-09T00:36:17Z