How do I configure props.conf for Splunk to index ...

omerr · ‎08-11-2016

Hi,

Today I encountered a strange thing in Splunk.

I have Splunk 6.4.1 running on a Linux server.

I tried to index a .dat file using a Universal Forwarder (Windows 6.4.1) and see that no data coming in to Splunk. When I checked _internal log, I saw that the problem is:

tail reader ignoring file due to binary

When I configured the UF, in inputs.conf I wrote the sourcetype for this file (let's call it: test_dat_file). In addition, I created props.conf with the appropriate configuration that included NO_BINARY_CHECK = true (to force Splunk to index it).

After a couple of tries, I thought maybe my configuration was not correct, so I copied the file to the Splunk server locally and monitored it (the default sourcetype for Splunk was "known_binary"). I hoped this would work, but unfortunately no.

Sample line in the file:

03/08/2016, 00:00:16:394, ip 10.10.10.10 CRC ERR -> Buffer : sc32425sdfvEOT324dsfsg Error 0

(all the lines are the same)

Maybe someone can help with this issue.

Omer.

sundareshr · ‎08-11-2016

See this blog post

http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/

How do I configure props.conf for Splunk to index a binary .dat file?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation