https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147676#M185335 <P>To my knowledge, Splunk cannot index a binary file, however the data from the file can be indexed once it is in a non binary format. There are two approaches you could take: </P> <OL> <LI>You could write a scripted input to get the data into Splunk. Your script would essentially read the binary log file, extract the data from it, and put it into a text format readable by Splunk. See the docs on setting up scripted inputs <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/ScriptedInputsIntro">here</A> and <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Setupcustominputs">here</A>.</LI> <LI>Try the method in <A href="http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/">this blog post.</A></LI> </OL> Wed, 12 Feb 2014 14:20:34 GMT wpreston 2014-02-12T14:20:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147675#M185334 <P>In our WebSphere environment we successfully indexes all SystemOut and SystemErr.log files except for one single cluster and its members. Problem is that one of the applications logs to SystemOut output from CICS which I have been told is encoded using ebcdic encoding. Therefore Splunk rejects the file with the following messages</P> <PRE><CODE> 02-12-2014 10:46:26.505 +0100 INFO TailingProcessor - Ignoring file 'E:\logs\MyCluster\SystemOut.log' due to: binary 02-12-2014 10:46:26.505 +0100 WARN FileClassifierManager - The file 'E:\logs\MyCluster\SystemOut.log' is invalid. Reason: binary </CODE></PRE> <P>For the deployment app defining this file I have created a props.conf file in the folder</P> <PRE><CODE>D:\Splunk\etc\deployment-apps\inputs_prod\default </CODE></PRE> <P>I have tried all below without success</P> <PRE><CODE>[source::E:\\logs\\MyCluster\\SystemOut.log] CHARSET = utf-ebcdic #CHARSET = auto #NO_BINARY_CHECK = 1 </CODE></PRE> <P><STRONG>First</STRONG><BR /> I am not <EM>totally</EM> sure that the location of the props.conf is correct, but I do believe so.</P> <P><STRONG>Secondly</STRONG><BR /> Without really diving into the details and changing the application and how it logs, is it possible to configure Splunk to index the file?</P> Wed, 12 Feb 2014 10:05:54 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147675#M185334 rune_hellem 2014-02-12T10:05:54Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147676#M185335 <P>To my knowledge, Splunk cannot index a binary file, however the data from the file can be indexed once it is in a non binary format. There are two approaches you could take: </P> <OL> <LI>You could write a scripted input to get the data into Splunk. Your script would essentially read the binary log file, extract the data from it, and put it into a text format readable by Splunk. See the docs on setting up scripted inputs <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/AdvancedDev/ScriptedInputsIntro">here</A> and <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Setupcustominputs">here</A>.</LI> <LI>Try the method in <A href="http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/">this blog post.</A></LI> </OL> Wed, 12 Feb 2014 14:20:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147676#M185335 wpreston 2014-02-12T14:20:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147677#M185336 <P>I've done a bit of EBCDIC in my time <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>You will need to decode the EBCDIC and encode in ASCII.</P> <P>You might do this in a scripted input or modular input or pre-process the EBCDIC content before sending to Splunk.</P> <P>The decoding is trivial in python :</P> <PRE><CODE>ebcdic_str = '\xc8\xc5\xd3\xd3\xd6' print ebcdic_str.decode('EBCDIC-CP-BE').encode('ascii') #prints out HELLO </CODE></PRE> Thu, 13 Feb 2014 07:40:00 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Splunk-to-index-a-file-containing-CICS-output/m-p/147677#M185336 Damien_Dallimor 2014-02-13T07:40:00Z