How do I configure props.conf for Splunk to index a binary .dat file?

omerr — Tue, 29 Sep 2020 10:37:05 GMT

Hi,

Today I encountered a strange thing in Splunk.

I have Splunk 6.4.1 running on a Linux server.

I tried to index a .dat file using a Universal Forwarder (Windows 6.4.1) and see that no data coming in to Splunk. When I checked _internal log, I saw that the problem is:

tail reader ignoring file due to binary

When I configured the UF, in inputs.conf I wrote the sourcetype for this file (let's call it: test_dat_file). In addition, I created props.conf with the appropriate configuration that included NO_BINARY_CHECK = true (to force Splunk to index it).

After a couple of tries, I thought maybe my configuration was not correct, so I copied the file to the Splunk server locally and monitored it (the default sourcetype for Splunk was "known_binary"). I hoped this would work, but unfortunately no.

Sample line in the file:

03/08/2016, 00:00:16:394, ip 10.10.10.10 CRC ERR -> Buffer : sc32425sdfvEOT324dsfsg Error 0

(all the lines are the same)

Maybe someone can help with this issue.

Omer.

Re: How do I configure props.conf for Splunk to index a binary .dat file?

sundareshr — Thu, 11 Aug 2016 16:45:03 GMT

See this blog post

http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/

topic Re: How do I configure props.conf for Splunk to index a binary .dat file? in Getting Data In

How do I configure props.conf for Splunk to index a binary .dat file?

Re: How do I configure props.conf for Splunk to index a binary .dat file?