How to ingest binary files to splunk?

Emyamy · ‎09-04-2022

Hi Splunkers,

How to ingest binary files to splunk? i get error ," ignored due to binary file".

Any help would be appreciated.

Many thanks

Emy

richgalloway · ‎09-04-2022

Splunk is a text-based platform and so will not ingest binary files. It makes little sense to do so since Splunk will not be able to search or visualize the binary data

What is your use case? Perhaps there is another solution.

---
If this reply helps you, Karma would be appreciated.

Emyamy · ‎09-05-2022

is there any charset attribute which help converts binary to human readable format?

so i would use it in my props on forwarder.

richgalloway · ‎09-05-2022

See if this answer helps you. https://community.splunk.com/t5/Getting-Data-In/How-to-Splunk-the-SAP-Security-Audit-Log/m-p/380913

---
If this reply helps you, Karma would be appreciated.

Emyamy · ‎09-05-2022

Hi @richgalloway

I'm trying to onboard SAP Audit log files to splunk but it is in binary format.

i used below props.conf but doesn't seem to be working as expected.

[sap:test]
CHARSET=UTF-16LE
NO_BINARY_CHECK=false
detect_trailing_nulls = false
inputs.conf:

[monitor:///monitoring_path]
index = sap_testindex
sourcetype = sap:test

How to ingest binary files to splunk?

heavy forwarder

indexer

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?