Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we configure Splunk to not look inside archive files?

dl-it-serveradm
Engager
‎06-08-2016 11:45 AM

Hello,

By default:
Splunk Enterprise decompresses archive files before it indexes them. It can handle these common archive file types: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z.
(http://docs.splunk.com/Documentation/Splunk/6.1.6/Data/Monitorfilesanddirectories)

Is it possible to configure Splunk to not do this? Or another way to handle our scenario?

We have a Windows directory input path that we are indexing *.log files. The problem is, there are .zip files in that folder that also contain *.log files, but we want to ignore those.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎06-08-2016 01:07 PM

All that you need to do is to specify in the monitor "just" the *.log files.

View solution in original post

Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎06-08-2016 01:07 PM

All that you need to do is to specify in the monitor "just" the *.log files.

Reply
Solved! Jump to solution

dl-it-serveradm
Engager
‎06-09-2016 06:27 AM

Masa ; ddrillic,

Thanks for your replies, however, this does not seem to work. Splunk is still looking within the zip file and finding the .log files within it.

It seems as if it is decompressing the archive and finding the .log files within it. I believe it is the decompression that we need to avoid.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎06-09-2016 07:05 AM

What I normally do is being very explicit to the level of the files and not just the directory. Something like - [monitor://\C:\Logs\location\log\*.log]

Using this variation ensures that only files with extension of .log will be processed.

0 Karma
Reply
Solved! Jump to solution

dl-it-serveradm
Engager
‎06-09-2016 12:23 PM

Thank you both for your help.

Using the whitelist does look like it works. We were getting confused by the number of files that appear in the Files and Directory input for that folder. That number seems to represent the number of files found (plus the root folder), not necessarily the ones it has indexed.

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-09-2016 10:06 AM

I agree with ddrllic.

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-09-2016 10:03 AM

Have you restarted Splunk?

F.Y.I.

[monitor://\C:\Logs\location\log\*.log]

Splunk will translated this stanza to;

[monitor://\C:\Logs\location\log]
whiltelist = [^\//]+\.log
0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-09-2016 10:04 AM

Also, can you send us example of a file path and the configuration you used?

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-08-2016 03:13 PM

Assuming your log files exists in C:\Logs\ or sub directories.

- inputs.conf
[monitor://\C:\Logs\....log]

Or, you can make use of white list

- inputs.conf
[monitor://\C:\Logs]
whitelist = \.log$
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...