Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can we monitor binary log data in splunk? is invalid. Reason: binary

alexethier
Engager
‎12-17-2011 08:04 PM

I have a python script that read data from the stdin, convert the input and output human readable text to the stdout.
this is my current setup:

inputs.conf

[monitor:///var/account/pacct]
sourcetype = pacct_binary

props.conf

[pacct_binary]
invalid_cause = archive
unarchive_cmd = /opt/splunk/etc/apps/search/bin/pacct.py

I experimented with multiple configurations in inputs.conf and props.conf. No matter what I do I always get the following warning when splunk start and I don't see my sourcetype in splunk web gui.

WARN  FileClassifierManager - The file '/var/account/pacct' is invalid. Reason: binary
INFO  TailingProcessor - Ignoring file '/var/account/pacct' due to: binary

Anyone can post an exemple of a inputs.conf and props.conf that would let me load this binary file.

Best,

Alex

Reply

carmackd
Communicator
‎04-20-2012 12:41 PM

You can simply ignore the binary check as well using the following props attribute.

#******************************************************************************
# Binary file configuration
#******************************************************************************

NO_BINARY_CHECK = [true|false]
* When set to true, Splunk processes binary files.
* Can only be used on the basis of [<sourcetype>], or [source::<source>], not [host::<host>].
* Defaults to false (binary files are ignored).
0 Karma
Reply

Ayn
Legend
‎12-18-2011 02:52 PM

Is there a reason for using monitor for this? The best option imho would be to run your pacct.py script directly as a script input and have Splunk simply read its stdout.

0 Karma
Reply

alexethier
Engager
‎12-21-2011 12:57 PM

No real reason. I'm new to Splunk. Thank you for the script input suggestion.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...