All Apps and Add-ons

How do I ingest 7z file?

Communicator

Hi Splunkers!

Need your help. Is there a way for Splunk to ingest data that is compressed using 7z? I saw that there is an app in splunkbase called splunkbase.splunk.com/app/4255/ that can decompress zstd. I know that decompressing the 7z would be faster but the use case dictates that we ingest the 7z file directly.

Thanks!

0 Karma

Influencer

HI,

pretty old this answer, but I did not find anything new about this, so could still be the case, that 7z is not supported.

https://answers.splunk.com/answers/13807/indexing-7-zip-files.html

Splunk can ingest compressed data, did you try to test 7z on a local instance?

0 Karma

Communicator

Thanks for your response!

Splunk doesn't support 7z. We tried adding it through unarchive_cmd in the props.conf but it just wouldn't work.

We also installed the command line for 7z(p7zip). Below is the code we used:

props.conf

[source::....7z(.\d+)?]
unarchive_cmd = 7z e -so
sourcetype = preprocess-7z
NO_BINARY_CHECK = true

[preprocess-7z]
invalid_cause = archive
is_valid = False
LEARN_MODEL = false
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!