How to monitor and index .bz2 files in Splunk?

James_ACN · ‎11-05-2021

Hi, All.

How to index compressed files in .bz2 format using Universal Forwarder installed on a Windows server?

In UF:

inputs.conf

[monitor://E:\LogServer\Logs\*.bz2]
sourcetype = XmlWinEventLog
disabled=0
index = main

props.conf

[source::...E:\\LogServer\\Logs\\*.bz2]
sourcetype = XmlWinEventLog

[XmlWinEventLog]
invalid_cause = archive
unarchive_cmd = _auto

According to the most recent docs Splunk does index compressed files:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Propsconf

But even following these instructions, the logs are still not indexed and I was also unable to check the splunkd.log logs for any error that indicates a problem.

Does anyone have any suggestions?

Thanks in advance.

James \°/

James_ACN · ‎11-09-2021

Hi All!

I still haven't been able to solve this problem.

Does anyone have any outline suggestions?

Thanks!

James \°/

PickleRick · ‎11-06-2021

Never used it myself but.

unarchive_cmd = <string>
[...]
* This field is only valid on [source::<source>] stanzas.

So setting it on sourcetype should not work.

How to monitor and index .bz2 files in Splunk?

inputs.conf

monitor

props.conf

universal forwarder

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to monitor and index .bz2 files in Splunk?

inputs.conf

monitor

props.conf

universal forwarder

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem