I have a python script that read data from the stdin, convert the input and output human readable text to the stdout.
this is my current setup:
inputs.conf
[monitor:///var/account/pacct]
sourcetype = pacct_binary
props.conf
[pacct_binary]
invalid_cause = archive
unarchive_cmd = /opt/splunk/etc/apps/search/bin/pacct.py
I experimented with multiple configurations in inputs.conf and props.conf. No matter what I do I always get the following warning when splunk start and I don't see my sourcetype in splunk web gui.
WARN FileClassifierManager - The file '/var/account/pacct' is invalid. Reason: binary
INFO TailingProcessor - Ignoring file '/var/account/pacct' due to: binary
Anyone can post an exemple of a inputs.conf and props.conf that would let me load this binary file.
Best,
Alex
You can simply ignore the binary check as well using the following props attribute.
#******************************************************************************
# Binary file configuration
#******************************************************************************
NO_BINARY_CHECK = [true|false]
* When set to true, Splunk processes binary files.
* Can only be used on the basis of [<sourcetype>], or [source::<source>], not [host::<host>].
* Defaults to false (binary files are ignored).
Is there a reason for using monitor
for this? The best option imho would be to run your pacct.py script directly as a script input and have Splunk simply read its stdout.
No real reason. I'm new to Splunk. Thank you for the script input suggestion.