https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28700#M4926 <P>upvote for PYRO</P> Fri, 28 Dec 2012 19:49:19 GMT piebob 2012-12-28T19:49:19Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28694#M4920 <P>I am having an issue where file names like this "220120808.dat.gz" are not being processed.</P> <P>After much investigation (manually uncompressing/renaming etc) it turns out that the system props file is identifying the file as a "known_source" source type because of the .dat file extention after the uncompression process.</P> <P>Seems to be exactly the same issue as per this older thread -&gt; ( <A href="http://splunk-base.splunk.com/answers/31415/splunk-not-indexing-modified-files">http://splunk-base.splunk.com/answers/31415/splunk-not-indexing-modified-files</A> )</P> <P>My issue is that in my local applications inputs.conf I am defining the sourcetype for all files monitored in a specific directory. The files are being read from that directory so why isn't the sourcetype stanza applied also? At a guess im thinking that the gzip overrides this setting. Yet doesn't apply the app level sourcetype definition afterwards.</P> <P>So my question is. Why isn't splunk honoring the system&gt;default&gt;local&gt;app&gt;default&gt;local hierachy for source typing?</P> <P>The suggestion in the older thread is to put in a new source type definition that redefines the dat file for this app.</P> <P>ie. ../etc/apps/my_app/local/props.conf (below modified from the original system/default/props.conf file)</P> <PRE><CODE>[source::....(dat)] sourcetype = my_sourcetype </CODE></PRE> <P>I've tried this and it doesn't work and still retains the default source type of "known_binary" and thus is not indexed.</P> <P>My only other way i thought was to just copy that source section and put it in a local system props.conf. My issue then would be that im redefining this source type for ALL .dat files and not just a single application.</P> <P>More info can be provided.<BR /> splunk 4.3.3.</P> Wed, 08 Aug 2012 05:59:50 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28694#M4920 Lucas_K 2012-08-08T05:59:50Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28695#M4921 <P>Try moving the sourcetype = my_sourcetype into the /apps/my_app/local/inputs.conf</P> <PRE><CODE>[monitor:///path/to/*.dat.gz] whitelist = \d{1,}\.dat\.gz sourcetype = my_sourcetype index = my_index etc... </CODE></PRE> Mon, 28 Sep 2020 12:13:19 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28695#M4921 pshumate 2020-09-28T12:13:19Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28696#M4922 <P>That whitelist didn't help.</P> <P>I put this into the app/local/props.conf.</P> <P>[source::/path/file(.dat|.dat.gz)]<BR /> sourcetype = blah.</P> <P>Then running ./splunk test sourcetype /path/file.dat.gz shows that it correctly sets the sourcetype to "blah". However the data still doesn't show up inside the index if the file is a .gz. I AM however able to get the .dat file in successfully if I manually uncompress it.</P> <P>Trying a few other things as I really need to be able to process the logs using only splunk and not an external script to uncompress the files.</P> Thu, 09 Aug 2012 01:40:51 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28696#M4922 Lucas_K 2012-08-09T01:40:51Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28697#M4923 <P>I re-read your previous answer of "put sourcetype in input.conf". I already had that also (still not working).</P> Thu, 09 Aug 2012 04:56:02 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28697#M4923 Lucas_K 2012-08-09T04:56:02Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28698#M4924 <P>will you post a snip of the uncompressed .dat and the lines from $SPLUNK/var/log/splunk/splunk.log from where it tries to read the dat.gz?<BR /> I added the whitelist as a safety net just in case there was a ton of data in that dir that would regex to *.dat.gz. This being a thing I have learned the hard way.</P> Thu, 09 Aug 2012 14:06:54 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28698#M4924 pshumate 2012-08-09T14:06:54Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28699#M4925 <P>Solution here (only took 2 months <span class="lia-unicode-emoji" title=":neutral_face:">😐</span> ) : <A href="http://splunk-base.splunk.com/answers/60643/archiveprocessor-bypassing-normal-systemlocalpropsconf-processing-for-dat-files-inside-archives-434">http://splunk-base.splunk.com/answers/60643/archiveprocessor-bypassing-normal-systemlocalpropsconf-processing-for-dat-files-inside-archives-434</A></P> <P>As described in the other post putting the sourcetype definition in the local app didn't override the local system setting when the file is inside an archive.</P> Tue, 16 Oct 2012 05:33:14 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28699#M4925 Lucas_K 2012-10-16T05:33:14Z https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28700#M4926 <P>upvote for PYRO</P> Fri, 28 Dec 2012 19:49:19 GMT https://community.splunk.com/t5/Getting-Data-In/Handling-text-dat-files-How-can-I-override-splunks-system/m-p/28700#M4926 piebob 2012-12-28T19:49:19Z