Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I process rar files on a Windows Splunk install?

approachct
Path Finder
‎07-19-2011 06:37 AM

I thought that Splunk would read compressed files and load them, however it is telling me the rar file is a binary. I have a directory loader in Splunk set up with type IIS-2. Can Splunk load the rar files with IIS logs inside them?

Tags (2)
0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎07-19-2011 08:26 AM

You should use unarchive_cmd in props.conf for the sourcetype. See the following documentation:

http://www.splunk.com/base/Documentation/latest/admin/Propsconf

unarchive_cmd = <string>
* Only called if invalid_cause is set to "archive".
* This field is only valid on [source::<source>] stanzas.
* <string> specifies the shell command to run to extract an archived source.
* Must be a shell command that takes input on stdin and produces output on stdout.
* Use _auto for Splunk's automatic handling of archive files (tar, tar.gz, tgz, tbz, tbz2, zip)
* Defaults to empty.
0 Karma
Reply

approachct
Path Finder
‎08-05-2011 12:01 PM

Thanks. I have this configured but it is not working. How can I confirm or debug splunk calling the command line? It works outside splunk, but not inside it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...