Getting Data In

How do I process rar files on a Windows Splunk install?

approachct
Path Finder

I thought that Splunk would read compressed files and load them, however it is telling me the rar file is a binary. I have a directory loader in Splunk set up with type IIS-2. Can Splunk load the rar files with IIS logs inside them?

Tags (2)
0 Karma

jbsplunk
Splunk Employee
Splunk Employee

You should use unarchive_cmd in props.conf for the sourcetype. See the following documentation:

http://www.splunk.com/base/Documentation/latest/admin/Propsconf

unarchive_cmd = <string>
* Only called if invalid_cause is set to "archive".
* This field is only valid on [source::<source>] stanzas.
* <string> specifies the shell command to run to extract an archived source.
* Must be a shell command that takes input on stdin and produces output on stdout.
* Use _auto for Splunk's automatic handling of archive files (tar, tar.gz, tgz, tbz, tbz2, zip)
* Defaults to empty.
0 Karma

approachct
Path Finder

Thanks. I have this configured but it is not working. How can I confirm or debug splunk calling the command line? It works outside splunk, but not inside it.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...