Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Handling text .dat files : How can I override splunks system default props.conf configuration for just a single app?

Lucas_K
Motivator
‎08-07-2012 10:59 PM

I am having an issue where file names like this "220120808.dat.gz" are not being processed.

After much investigation (manually uncompressing/renaming etc) it turns out that the system props file is identifying the file as a "known_source" source type because of the .dat file extention after the uncompression process.

Seems to be exactly the same issue as per this older thread -> ( http://splunk-base.splunk.com/answers/31415/splunk-not-indexing-modified-files )

My issue is that in my local applications inputs.conf I am defining the sourcetype for all files monitored in a specific directory. The files are being read from that directory so why isn't the sourcetype stanza applied also? At a guess im thinking that the gzip overrides this setting. Yet doesn't apply the app level sourcetype definition afterwards.

So my question is. Why isn't splunk honoring the system>default>local>app>default>local hierachy for source typing?

The suggestion in the older thread is to put in a new source type definition that redefines the dat file for this app.

ie. ../etc/apps/my_app/local/props.conf (below modified from the original system/default/props.conf file)

[source::....(dat)]
sourcetype = my_sourcetype

I've tried this and it doesn't work and still retains the default source type of "known_binary" and thus is not indexed.

My only other way i thought was to just copy that source section and put it in a local system props.conf. My issue then would be that im redefining this source type for ALL .dat files and not just a single application.

More info can be provided.
splunk 4.3.3.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎10-15-2012 10:33 PM

Solution here (only took 2 months 😐 ) : http://splunk-base.splunk.com/answers/60643/archiveprocessor-bypassing-normal-systemlocalpropsconf-p...

As described in the other post putting the sourcetype definition in the local app didn't override the local system setting when the file is inside an archive.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎10-15-2012 10:33 PM

Solution here (only took 2 months 😐 ) : http://splunk-base.splunk.com/answers/60643/archiveprocessor-bypassing-normal-systemlocalpropsconf-p...

As described in the other post putting the sourcetype definition in the local app didn't override the local system setting when the file is inside an archive.

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎12-28-2012 11:49 AM

upvote for PYRO

0 Karma
Reply
Solved! Jump to solution

pshumate
Explorer
‎08-08-2012 08:40 AM

Try moving the sourcetype = my_sourcetype into the /apps/my_app/local/inputs.conf

[monitor:///path/to/*.dat.gz]
whitelist = \d{1,}\.dat\.gz
sourcetype = my_sourcetype
index = my_index
etc...
0 Karma
Reply
Solved! Jump to solution

pshumate
Explorer
‎08-09-2012 07:06 AM

will you post a snip of the uncompressed .dat and the lines from $SPLUNK/var/log/splunk/splunk.log from where it tries to read the dat.gz?
I added the whitelist as a safety net just in case there was a ton of data in that dir that would regex to *.dat.gz. This being a thing I have learned the hard way.

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎08-08-2012 09:56 PM

I re-read your previous answer of "put sourcetype in input.conf". I already had that also (still not working).

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎08-08-2012 06:40 PM

That whitelist didn't help.

I put this into the app/local/props.conf.

[source::/path/file(.dat|.dat.gz)]
sourcetype = blah.

Then running ./splunk test sourcetype /path/file.dat.gz shows that it correctly sets the sourcetype to "blah". However the data still doesn't show up inside the index if the file is a .gz. I AM however able to get the .dat file in successfully if I manually uncompress it.

Trying a few other things as I really need to be able to process the logs using only splunk and not an external script to uncompress the files.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...