Solved: Indexing 7-Zip Files.

sthao · ‎04-12-2011

I am using Splunk 4.2 and would like to know if .7z files can be indexed?

I have attempted to index .7z files via the below steps, but have been unsuccessful:

Copying the crawl.conf file from ..\etc\system\default.
Placing the crawl.conf file in ..\etc\system\local.
Adding 7z to the packed_extensions_list line.
Restarting Splunk.
Re-indexing the location which holds the .7z files.

Thank you for any direction that can be given!

gkanapathy · ‎04-12-2011

No. Splunk has configurations for gzip, bz2, and compress files, among others, but not 7z. You could probably add support for that if you choose and install a command-line decompressor with streaming decompression by mimicking the configuration for tgz files.

View solution in original post

gkanapathy · ‎04-12-2011

No. Splunk has configurations for gzip, bz2, and compress files, among others, but not 7z. You could probably add support for that if you choose and install a command-line decompressor with streaming decompression by mimicking the configuration for tgz files.

sthao · ‎04-12-2011

Thanks for the prompt response! I may just end up having to stick with ZIP files, instead of 7z files then.

If I were to attempt support of 7z files, where would I go to get more info on mimicking the tgz configuration/setup?

Thanks!

Indexing 7-Zip Files.

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...