How can I read a tgz file into Splunk?

sdse78 · ‎08-13-2016

According to a book (Splunk Essentials By: Betsy Page Sigman) I recently read on Splunk, Splunk can read in data from basically all types of files containing clear data, or as they put it, any data. Splunk can also decompress the following types of files: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z along with many other formats. If this is true, how does it decompress the data? Specifically, if I am using "Add Data" within the manager can it first decompress a tgz file and then input it or do I need to decompress it first?

I have a tgz file I am trying to input that is 1.08GB in size. However, every time I browse to it and try to input the file I get a message that the file is over 500MB and Splunk will not accept it.

Can someone here help me solve this problem?

esix_splunk · ‎08-13-2016

Splunk has the built in capability to un-zip/tar/z files. However, the GUI is limited, as it says, to files that are 500mb. That means, you cannot upload a file that is over 500mg.

You will need to use oneshot, or setup a monitor on the file to ingest it into Splunk. You should read here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorfilesanddirectoriesusingtheCLI . That describes everything you need to do to get your large tgz file ingested into Splunk.

sdse78 · ‎08-14-2016

I'm having issues with the link your provided.

Richfez · ‎08-14-2016

I fixed the link in esix's answer. The editor decided the period at the end of the sentence was part of the URL, so I added a space and now it works.

sdse78 · ‎08-14-2016

Thank you rich7177. I greatly appreciate it.

How can I read a tgz file into Splunk?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!