Re: how to ingest binary files to splunk?

Emyamy · ‎09-04-2022

Hi Splunkers,

How to ingest binary files to splunk? i get error ," ignored due to binary file".

Any help would be appreciated.

Many thanks

Emy

richgalloway · ‎09-04-2022

Splunk is a text-based platform and so will not ingest binary files. It makes little sense to do so since Splunk will not be able to search or visualize the binary data

What is your use case? Perhaps there is another solution.

---
If this reply helps you, Karma would be appreciated.

Emyamy · ‎09-05-2022

is there any charset attribute which help converts binary to human readable format?

so i would use it in my props on forwarder.

richgalloway · ‎09-05-2022

See if this answer helps you. https://community.splunk.com/t5/Getting-Data-In/How-to-Splunk-the-SAP-Security-Audit-Log/m-p/380913

---
If this reply helps you, Karma would be appreciated.

Emyamy · ‎09-05-2022

Hi @richgalloway

I'm trying to onboard SAP Audit log files to splunk but it is in binary format.

i used below props.conf but doesn't seem to be working as expected.

[sap:test]
CHARSET=UTF-16LE
NO_BINARY_CHECK=false
detect_trailing_nulls = false
inputs.conf:

[monitor:///monitoring_path]
index = sap_testindex
sourcetype = sap:test

How to ingest binary files to splunk?

heavy forwarder

indexer

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation