https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84778#M97170 <P>The version of SUSE Linux I'm using has been compressing my logs with xz (by default) rather than gzip or bzip2. As such, when I added the log directory into splunk, there's a large gap where those files couldn't be parsed.</P> <P>I can go through and unxz all of the logs and use bzip2 to compress them, and change logrotate to use bzip2 instead of xz, but I do like that xz achieves higher compression ratios than bzip2. I'm assuming that the decompression algorithms supported by splunk are hard-coded, but I thought I'd ask if it's something I can modify on my end to add support for that file type.</P> <P>If not, is this something that is being considered for a future release?</P> Wed, 27 Jun 2012 06:58:35 GMT hatchmt 2012-06-27T06:58:35Z https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84778#M97170 <P>The version of SUSE Linux I'm using has been compressing my logs with xz (by default) rather than gzip or bzip2. As such, when I added the log directory into splunk, there's a large gap where those files couldn't be parsed.</P> <P>I can go through and unxz all of the logs and use bzip2 to compress them, and change logrotate to use bzip2 instead of xz, but I do like that xz achieves higher compression ratios than bzip2. I'm assuming that the decompression algorithms supported by splunk are hard-coded, but I thought I'd ask if it's something I can modify on my end to add support for that file type.</P> <P>If not, is this something that is being considered for a future release?</P> Wed, 27 Jun 2012 06:58:35 GMT https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84778#M97170 hatchmt 2012-06-27T06:58:35Z https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84779#M97171 <P>You can enable any sort of decompression setting the <STRONG>unarchive_cmd</STRONG> configuration in <STRONG>props.conf</STRONG> for your input. If you want to pick xz files by default, something like this should work:</P> <BLOCKQUOTE> <P>[source::.../*.xz]<BR /> unarchive_cmd = /usr/bin/xz -cd -</P> </BLOCKQUOTE> <P>If you already have a specific stanza in <STRONG>props.conf</STRONG> for that particular source, you'll need to tweak it.</P> Tue, 02 Aug 2016 15:10:36 GMT https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84779#M97171 ichaer_splunk 2016-08-02T15:10:36Z https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84780#M97172 <P>Hatchmt, were you able to read xz files? If so, what steps did you follow? Thanks! </P> Wed, 22 Aug 2018 16:38:49 GMT https://community.splunk.com/t5/Getting-Data-In/Support-for-logs-compressed-with-xz/m-p/84780#M97172 juanlazarosanch 2018-08-22T16:38:49Z