Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexing specific files inside a zip folder

lohit
Path Finder
‎01-01-2014 10:03 PM

HI all ,

I want o index specific files inside a zip folder. Directory structure is like this.

D:/Reports/abc.zip/x(empty folder)/y(empty folder)/z(empty folder)/abc.txt,pqr.csv,lmn.csv

Also the tool will generate same zip structure i. D:/reports but the zip file name will be different. Rest all the structure beneath the .zip will be same like below

D:/Reports/abc.zip/x(empty folder)/y(empty folder)/z(empty folder)/abc.txt,pqr.csv,lmn.csv
D:/Reports/123.zip/x(empty folder)/y(empty folder)/z(empty folder)/abc.txt,pqr.csv,lmn.csv

I have 2 questions

  1. How to index lmn.csv file only.
  2. How to make sure that indexed lmn.csv file should be overwritten as soon as there is a new lmn.csv file genrated by toll in D:/reports.

PLs help !!

Tags (2)
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎01-02-2014 10:49 AM

You can't index only a particular file within a zip file. I would actually suggest that you not index the data while it's contained within a zip file because the ArchiveProcessor of splunkd is single threaded and can only read one file at a time. This can be a significant bottleneck in terms of performance on the Splunk instance reading this data. The MUCH better alternative would be to unpack the files with a script and monitor the folder that contains the unpacked files. While it might be easier just to monitor the zip files, it really isn't worth the trouble the bottleneck can cause.

If you've got no alternative but to monitor the zip files, then what you can do is to throw away any data that doesn't match a pattern specified using props and transforms by sending it to nullQueue You can find instructions for that here.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...