Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

In Splunk, where and when are data.gz files unzipped?

Log_wrangler
Builder
‎09-25-2018 12:42 PM

If I have an app on a heavy forwarder that is pulling in .gz files and sending them to my indexers (i.e. distributed environment), when and where are the files unzipped?

Are the files unzipped at the heavy forwarder or sent zipped to the indexers?

I am trying to troubleshoot why I am seeing unreadable garbage in the search head with a source of file.gz...

It appears that the file was not unzipped.

Please advise.

Thank you

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-25-2018 01:20 PM

Hi Log_wrangler,

Compressed files (like .gz and .zip) are handled by the Archive processor, and are processed in serial. The Archive processor reads the compressed file during the input phase, on your HWF, and the HWF will send the uncompressed events to the indexer.

Unreadable garbage could be either you are having actual unreadable garbage in the file or the indexer is listening on TCP <YourPortNumberHere> instead of SplunkTCP. Sometimes it could also be related to forwarder sending using SSL and receiver not using SSL or vice versa.

Hope this helps ...

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-26-2018 12:01 PM

Just another hint regarding the garbage events, check the charset of the file and set it in the props.conf. See the docs for more http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Garbledevents#Symptom

cheers, MuS

0 Karma
Reply

Log_wrangler
Builder
‎09-27-2018 07:14 AM

So this issue is specifically related to an app residing on a HF.
The Splunk_TA_microsoft-cloudservices unzips files in tables inputs but not blobs inputs.
We can unzip the file with the indexer directly (as a local file input) so it appears the problem is in the app.
Any other ideas how to find the root cause?

Thanks

0 Karma
Reply

Log_wrangler
Builder
‎09-26-2018 02:26 PM

thank you for your response.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...