Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use splunk for binary log file?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use splunk for binary log file?
txing
New Member
08-22-2012
06:26 AM
Our application is generating a binary format log files, and we want to use splunk to collect and search through it, can splunk process binary logs? what else should we do?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
08-22-2012
10:29 AM
Another option is to use the unarchive command. There has been a blog entry that illustrates how to do that:
http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/
It still involves scripting, though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
08-22-2012
08:19 AM
While you could technically force Splunk to index a file even though it's in a binary format, the question is what you'd get out of it. If your application logs in some kind of binary format where special knowledge is required to make any sense out of the data, you need to somehow provide that logic so that the data can be converted to something that makes sense to (and in) Splunk. A common way of doing this is using scripted inputs, where you have a script that reads your binary logs, retrieves the data and outputs it as a plaintext format that's suitable to be consumed by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
08-22-2012
10:30 AM
Creating such a scripted input is pretty simple. Everthing that the script sends to STDOUT will be indexed by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
txing
New Member
08-22-2012
09:27 AM
Thanks for the answers, but I'm not scripting guy, for the scripted input, is there a sample or we need to do it by ourselves?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MarioM
Motivator
08-22-2012
08:22 AM
some people like to look at hexadecimal... 😜
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MarioM
Motivator
08-22-2012
06:39 AM
you can allow processing of binary files in props.conf:
NO_BINARY_CHECK = [true|false]
* When set to true, Splunk processes binary files.
* Can only be used on the basis of [<sourcetype>], or [source::<source>], not [host::<host>].
* Defaults to false (binary files are ignored).
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
