Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use splunk for binary log file?

txing
New Member
‎08-22-2012 06:26 AM

Our application is generating a binary format log files, and we want to use splunk to collect and search through it, can splunk process binary logs? what else should we do?

Thanks

Tags (1)
0 Karma
Reply

ziegfried
Influencer
‎08-22-2012 10:29 AM

Another option is to use the unarchive command. There has been a blog entry that illustrates how to do that:

http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/

It still involves scripting, though.

Reply

Ayn
Legend
‎08-22-2012 08:19 AM

While you could technically force Splunk to index a file even though it's in a binary format, the question is what you'd get out of it. If your application logs in some kind of binary format where special knowledge is required to make any sense out of the data, you need to somehow provide that logic so that the data can be converted to something that makes sense to (and in) Splunk. A common way of doing this is using scripted inputs, where you have a script that reads your binary logs, retrieves the data and outputs it as a plaintext format that's suitable to be consumed by Splunk.

Reply

ziegfried
Influencer
‎08-22-2012 10:30 AM

Creating such a scripted input is pretty simple. Everthing that the script sends to STDOUT will be indexed by Splunk.

0 Karma
Reply

txing
New Member
‎08-22-2012 09:27 AM

Thanks for the answers, but I'm not scripting guy, for the scripted input, is there a sample or we need to do it by ourselves?

Thanks

0 Karma
Reply

MarioM
Motivator
‎08-22-2012 08:22 AM

some people like to look at hexadecimal... 😜

0 Karma
Reply

MarioM
Motivator
‎08-22-2012 06:39 AM

you can allow processing of binary files in props.conf:

NO_BINARY_CHECK = [true|false]
* When set to true, Splunk processes binary files.
* Can only be used on the basis of [<sourcetype>], or [source::<source>], not [host::<host>].
* Defaults to false (binary files are ignored).
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...