Getting Data In

How can I read a tgz file into Splunk?

sdse78
New Member

According to a book (Splunk Essentials By: Betsy Page Sigman) I recently read on Splunk, Splunk can read in data from basically all types of files containing clear data, or as they put it, any data. Splunk can also decompress the following types of files: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z along with many other formats. If this is true, how does it decompress the data? Specifically, if I am using "Add Data" within the manager can it first decompress a tgz file and then input it or do I need to decompress it first?

I have a tgz file I am trying to input that is 1.08GB in size. However, every time I browse to it and try to input the file I get a message that the file is over 500MB and Splunk will not accept it.

Can someone here help me solve this problem?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Splunk has the built in capability to un-zip/tar/z files. However, the GUI is limited, as it says, to files that are 500mb. That means, you cannot upload a file that is over 500mg.

You will need to use oneshot, or setup a monitor on the file to ingest it into Splunk. You should read here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorfilesanddirectoriesusingtheCLI . That describes everything you need to do to get your large tgz file ingested into Splunk.

0 Karma

sdse78
New Member

I'm having issues with the link your provided.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I fixed the link in esix's answer. The editor decided the period at the end of the sentence was part of the URL, so I added a space and now it works.

0 Karma

sdse78
New Member

Thank you rich7177. I greatly appreciate it.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...