According to a book (Splunk Essentials By: Betsy Page Sigman) I recently read on Splunk, Splunk can read in data from basically all types of files containing clear data, or as they put it, any data. Splunk can also decompress the following types of files: tar, gz, bz2, tar.gz, tgz, tbz, tbz2, zip, and z along with many other formats. If this is true, how does it decompress the data? Specifically, if I am using "Add Data" within the manager can it first decompress a tgz file and then input it or do I need to decompress it first?
I have a tgz file I am trying to input that is 1.08GB in size. However, every time I browse to it and try to input the file I get a message that the file is over 500MB and Splunk will not accept it.
Can someone here help me solve this problem?
Splunk has the built in capability to un-zip/tar/z files. However, the GUI is limited, as it says, to files that are 500mb. That means, you cannot upload a file that is over 500mg.
You will need to use oneshot, or setup a monitor on the file to ingest it into Splunk. You should read here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorfilesanddirectoriesusingtheCLI . That describes everything you need to do to get your large tgz file ingested into Splunk.
I fixed the link in esix's answer. The editor decided the period at the end of the sentence was part of the URL, so I added a space and now it works.