Input gzipped csv files

hypePG · ‎03-09-2017

Hey Guys,

I found a few answers regarding my question but I'm still not sure how to handle this situation.
I want to index compressed csv files which are in a *.gz format right now.

My inputs.conf for the forwarder looks like this:

[monitor:///opt/db2/*.gz]
sourcetype = db2:logs
index = db2
followTail = 0

Following the documentation here http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories#How_Splunk_Enterp... Splunk is able to index compressed files and is decompressing them while indexing. Do I understand this correctly that in this case no more configuration is needed?

The invalid_cause, unarchive_cmd and unarchive_sourcetype options in the props.conf are making me unsure about that.
If i still have to use them, do they need to be on the indexer or aswell in the forwarder app?

Thanks for getting things straight.

Regards

hethaishibk · ‎04-10-2019

For sourcetype "db2:logs" is there any configuration required.., Should we have to mention anything for index extraction

woodcock · ‎03-09-2017

Ditch the followTail setting and you are good-to-go. You do not need to configure the unarchiving for *.gz files; Splunk knows what to do for those.

Input gzipped csv files

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?