Hi,
Today I encountered a strange thing in Splunk.
I have Splunk 6.4.1 running on a Linux server.
I tried to index a .dat file using a Universal Forwarder (Windows 6.4.1) and see that no data coming in to Splunk. When I checked _internal log, I saw that the problem is:
tail reader ignoring file due to binary
When I configured the UF, in inputs.conf I wrote the sourcetype for this file (let's call it: test_dat_file). In addition, I created props.conf with the appropriate configuration that included NO_BINARY_CHECK = true (to force Splunk to index it).
After a couple of tries, I thought maybe my configuration was not correct, so I copied the file to the Splunk server locally and monitored it (the default sourcetype for Splunk was "known_binary"). I hoped this would work, but unfortunately no.
Sample line in the file:
03/08/2016, 00:00:16:394, ip 10.10.10.10 CRC ERR -> Buffer : sc32425sdfvEOT324dsfsg Error 0
(all the lines are the same)
Maybe someone can help with this issue.
Omer.
