topic Re: journal.gz in #Random

journal.gz

gizemk00 — Fri, 07 Jul 2017 06:14:16 GMT

when we are using less command into the journal.gz we see that non-text characters like ascii character, what is the reason of this??

Re: journal.gz

Richfez — Fri, 07 Jul 2017 12:19:42 GMT

gzip is a binary file type. There's some magic in how you can tell less to automatically "unzip" a gz file when it displays one, but it's not always turned on.

Not really being a Splunk questions, please refer to this Stack Overflow question for more information and a possible solution.

Re: journal.gz

woodcock — Sat, 08 Jul 2017 22:10:56 GMT

As @rich7177 said, usually *.gz files are compressed text files using gzip. If that is the case, do not use less but instead use zless:

zless journal.gz
zcat journal.gz
zmore journal.gz #Display journal.gz one screen at a time
zgrep '1.2.3.4' journal.gz # Search journal.gz for 1.2.3.4 IP address using grep command like syntax:
egrep 'regex' journal.gz
egrep 'regex1|regex2' journal.gz

Re: journal.gz

dwaddle — Sun, 09 Jul 2017 18:47:01 GMT

Echoing @rich7177 and @woodcock and adding a little more detail.

(A) it's a compressed file. You have to uncompress it to read it. Sometimes less will silently decompress it for you.

(B) Even if you do uncompress it, there's going to be binary data in it. Splunk's journal file has your raw events along with binary metadata about them. What you'll see is clumps of plain text event, surrounded by clumps of binary. That is just how it is, because that is how Splunk stores the data.