Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can we configure Splunk to not look inside archive files?

dl-it-serveradm
Engager
‎06-08-2016 11:45 AM

Hello,

By default:
Splunk Enterprise decompresses archive files before it indexes them. It can handle these common archive file types: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z.
(http://docs.splunk.com/Documentation/Splunk/6.1.6/Data/Monitorfilesanddirectories)

Is it possible to configure Splunk to not do this? Or another way to handle our scenario?

We have a Windows directory input path that we are indexing *.log files. The problem is, there are .zip files in that folder that also contain *.log files, but we want to ignore those.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎06-08-2016 01:07 PM

All that you need to do is to specify in the monitor "just" the *.log files.

View solution in original post

Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎06-08-2016 01:07 PM

All that you need to do is to specify in the monitor "just" the *.log files.

Reply
Solved! Jump to solution

dl-it-serveradm
Engager
‎06-09-2016 06:27 AM

Masa ; ddrillic,

Thanks for your replies, however, this does not seem to work. Splunk is still looking within the zip file and finding the .log files within it.

It seems as if it is decompressing the archive and finding the .log files within it. I believe it is the decompression that we need to avoid.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎06-09-2016 07:05 AM

What I normally do is being very explicit to the level of the files and not just the directory. Something like - [monitor://\C:\Logs\location\log\*.log]

Using this variation ensures that only files with extension of .log will be processed.

0 Karma
Reply
Solved! Jump to solution

dl-it-serveradm
Engager
‎06-09-2016 12:23 PM

Thank you both for your help.

Using the whitelist does look like it works. We were getting confused by the number of files that appear in the Files and Directory input for that folder. That number seems to represent the number of files found (plus the root folder), not necessarily the ones it has indexed.

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-09-2016 10:06 AM

I agree with ddrllic.

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-09-2016 10:03 AM

Have you restarted Splunk?

F.Y.I.

[monitor://\C:\Logs\location\log\*.log]

Splunk will translated this stanza to;

[monitor://\C:\Logs\location\log]
whiltelist = [^\//]+\.log
0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-09-2016 10:04 AM

Also, can you send us example of a file path and the configuration you used?

0 Karma
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎06-08-2016 03:13 PM

Assuming your log files exists in C:\Logs\ or sub directories.

- inputs.conf
[monitor://\C:\Logs\....log]

Or, you can make use of white list

- inputs.conf
[monitor://\C:\Logs]
whitelist = \.log$
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...