Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I configure props.conf for Splunk to index a binary .dat file?

omerr
Explorer
‎08-11-2016 08:55 AM

Hi,

Today I encountered a strange thing in Splunk.

I have Splunk 6.4.1 running on a Linux server.

I tried to index a .dat file using a Universal Forwarder (Windows 6.4.1) and see that no data coming in to Splunk. When I checked _internal log, I saw that the problem is:

tail reader ignoring file due to binary

When I configured the UF, in inputs.conf I wrote the sourcetype for this file (let's call it: test_dat_file). In addition, I created props.conf with the appropriate configuration that included NO_BINARY_CHECK = true (to force Splunk to index it).

After a couple of tries, I thought maybe my configuration was not correct, so I copied the file to the Splunk server locally and monitored it (the default sourcetype for Splunk was "known_binary"). I hoped this would work, but unfortunately no.

Sample line in the file:

03/08/2016, 00:00:16:394, ip 10.10.10.10 CRC ERR -> Buffer : sc32425sdfvEOT324dsfsg Error 0

(all the lines are the same)

Maybe someone can help with this issue.

Omer.

0 Karma
Reply

sundareshr
Legend
‎08-11-2016 09:45 AM

See this blog post

http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...