Getting Data In

How to edit props.conf to collect gz.done files from Blue Coat's proxy FTP server?

Contributor

How to edit props.conf to start collecting gz.done files from Blue Coat's proxy FTP server? Reporter change .gz files to gz.done files. What should I do to start pushing these files via universal forwarder to the indexers.

0 Karma
1 Solution

Contributor

I can't find gzip2 file in the bin folder.

View solution in original post

0 Karma

Contributor

I can't find gzip2 file in the bin folder.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Sorry, my Windows not-knowledge got me here. There is no bzip2 shipped with the Windows UF.
I found some powershell command which could do it, but that looks complicated http://stackoverflow.com/questions/17546016/how-can-you-zip-or-unzip-from-the-command-prompt-using-o... other option would be install gzip2 or bzip2 on the UF and use the unarchive_cmd= gzip -d or unarchive_cmd= bzip -d in props.conf

Sorry if this does not answer your question or is helpful.....

0 Karma

SplunkTrust
SplunkTrust

Hi daniel_augustyn,

on your universal forwarder, check the inputs.conf currently monitoring the path holding the .gz files. Check if there is a whitelist= or a blacklist for this stanza and modify it according to your needs.
See the docs on whitelist or blacklist http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Inputsconf

Hope this helps ...

cheers, MuS

Contributor

How can I start collecting "gz.done" files?

0 Karma

SplunkTrust
SplunkTrust

check the inputs.conf and verify if those files are blacklisted or not. Also check if there is a whitelist; if so add them to the whitelist regex and they will be monitored (Some times you need to restart the universal forwarder)

0 Karma

Contributor

That's what I have:

[monitor://E:\Server1\BCT-GW-SG\*.done]
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
0 Karma

Contributor

And it doesn't collect these files.

0 Karma

SplunkTrust
SplunkTrust

Is the forwarder process able to read those files? permission issue? any errors related to this monitor in splunkd.log?

0 Karma

Contributor

I am just fine with reading .gz files, I can't read gz.done files from the same folder.

0 Karma

Contributor
0 Karma

SplunkTrust
SplunkTrust

My bad sorry thought this was no longer needed.....yes, try this option unarchive_cmd= in props.conf to tell Splunk how to handle the gz.done file

0 Karma

Contributor

would that work on the Windows box?

0 Karma

SplunkTrust
SplunkTrust

Well you should find bzip2 in the Splunk bin directory so you should be able to run it.

0 Karma

SplunkTrust
SplunkTrust

Okay, I must admit my not-knowledge of Windows got me here 🙂
The universal forwarder on Windows does not come with bzip2 and therefore you cannot just use the unarchive_cmd = bzip2 -d option.
I found some powershell command which could do such a thing, but it looks complicated http://stackoverflow.com/questions/17546016/how-can-you-zip-or-unzip-from-the-command-prompt-using-o...
Other option, install gzip or zip on this forwarder and use it in the unarchive_cmd option.

0 Karma

Contributor

I can't find bzip2 in the bin directory, is there a way to threat done like gz files.

0 Karma

Contributor

Would you mind sharing stanza for it?

0 Karma

Contributor

Can you let me know what the stanza should be?

0 Karma