Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingesting Word document

timrich66
Communicator
‎08-26-2020 05:09 AM

Hello all,

My latest challenge is to ingest a Word doc into our environment.  According to everything I have read so far, this should be straight forward as Splunk can ingest 'any' file.  At this point I should point out that I am not concerned about the contents of the file (as this all needs to be obfuscated).  I only need to ingest the file to get its name.  I am not concerned about whether or not Splunk can read the 'Word' type formatting.

The file is created daily with the format - "My Word Doc ddmmyyyy hh mm.doc"

I am only interested in the "ddmmyyyy hh mm" part to ensure that it has been created today.

I cannot get the doc file to ingest at all.  Not even in an unformatted state.  If I save the file as a ".txt" file, then it is ingested.  Unfortunately, the 'save as' option is not an option in production.

I have tried using 'whitelist=' option without any success.

Can anyone suggest a solution?  Is there something in my installation that is stopping Word docs from being ingested?  Has anyone else had a similar experience?  

Thanks

Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2020 05:46 AM

Ingesting an entire Word package, possibly several MB, just to find out if a file exists seems wasteful to me.

As I suggested earlier, consider a script to test for the presence of the file and report to Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

timrich66
Communicator
‎09-02-2020 08:06 AM

The file is tiny.  I will look at what other options are available. Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-26-2020 05:37 AM
Your initial assumption is faulty. Splunk cannot ingest *any* file. It can, however, ingest any *text* file. Word files are not text.
Consider writing a python script to test for the presence of the file and making it a scripted input.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

timrich66
Communicator
‎09-02-2020 03:03 AM

Thanks for the reply.  I am, however, still confused.  There are a number of Questions about how to ingest with the correct format - eg https://community.splunk.com/t5/Archive/How-to-ingest-doc-format-file-into-splunk-with-correct-forma...

As I have stated, I am not concerned with the format within the doc, only the filename is of importance.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top