How to monitor and index .bz2 files in Splunk?

James_ACN · ‎11-05-2021

Hi, All.

How to index compressed files in .bz2 format using Universal Forwarder installed on a Windows server?

In UF:

inputs.conf

[monitor://E:\LogServer\Logs\*.bz2]
sourcetype = XmlWinEventLog
disabled=0
index = main

props.conf

[source::...E:\\LogServer\\Logs\\*.bz2]
sourcetype = XmlWinEventLog

[XmlWinEventLog]
invalid_cause = archive
unarchive_cmd = _auto

According to the most recent docs Splunk does index compressed files:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Propsconf

But even following these instructions, the logs are still not indexed and I was also unable to check the splunkd.log logs for any error that indicates a problem.

Does anyone have any suggestions?

Thanks in advance.

James \°/

James_ACN · ‎11-09-2021

Hi All!

I still haven't been able to solve this problem.

Does anyone have any outline suggestions?

Thanks!

James \°/

PickleRick · ‎11-06-2021

Never used it myself but.

unarchive_cmd = <string>
[...]
* This field is only valid on [source::<source>] stanzas.

So setting it on sourcetype should not work.

How to monitor and index .bz2 files in Splunk?

inputs.conf

monitor

props.conf

universal forwarder

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to monitor and index .bz2 files in Splunk?

inputs.conf

monitor

props.conf

universal forwarder

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR