Getting Data In

ArchiveProcessor - Bypassing normal system/local/props.conf processing for .dat files inside archives? (4.3.4)


I have a situation in which it would seem that for .dat files inside an archive I can not make it honor the settings listed in a system/local/props.conf.


We have the following 6 unique log files. Note: The example below is proof to myself of the issue and not how my real world sources are gathered. However, I have two customer installations both using the same data format (.dat files inside zip files) so it has a direct customer impact right now.

2.dat (contains 3.log) (contains 4.dat) (contains 5.log and 6.dat)

All zip files are created using the same method. All file names are unique. All file events inside the files are unique.
The following app based inputs.conf

alwaysOpenFile = 1
whitelist = \.dat$|\.log$|\.zip$
crcSalt = < SOURCE >

Due to the .dat being a known binary format I also use a sys/local/props.conf to stop the files from being ignored (as per ).

priority = 20

Now the weird thing is that 1.log,2.dat and WILL be indexed correctly. The archive containing the .dat file will be ignored. So it seems the above stanza works fine for standalone .dat file not ones contained inside archives.

So I check splunkd.log for hints as to what is going on.

 14:50:32.615 +1000 INFO  ArchiveProcessor - reading path=c:\logs\ (seek=0 len=1595)
10-03-2012 14:50:32.615 +1000 INFO  ArchiveProcessor - Archive with path="c:\logs\" was already indexed as a non-archive, skipping. 

So splunk believe's its seen the file before even though it hasn't. I can re-salt the files by renaming them and they will all be indexed again with the exception of any zip file with a .dat file inside.

This then leads to a post at the end of this OLD May 2011 thread (splunk v4.2 at the time) ( ).

Is there some magical setting inside the system/local/props.conf I need to set for sourcetype setting of .dat files INSIDE archives OR is this a known bug?

0 Karma

Re: ArchiveProcessor - Bypassing normal system/local/props.conf processing for .dat files inside archives? (4.3.4)


Update: I have found temporary solution to this!!! (its bad [wouldn't be surprised to see someone from splunk complain loudly NOT to do this] and will probably break your input again upon splunk upgrade but by then hopefully its fixed).

Simply edit the etc/system/default/props.conf and remove the dat from the "known_binary" stanza.

So just replace the following.

sourcetype = known_binary


sourcetype = known_binary

View solution in original post

0 Karma