Getting Data In

Is there a way in Splunk to ingest a zip file with multiple sourcetypes?

Path Finder

Hi All:

I want to ingest a zip file that has multiple sourcetypes. Is there a mechanism on how to achieve it? Please let me know.


0 Karma


A variation of this question comes up periodically, and the basic answer is "no". A sourcetype is tied to the source in a one-to-many relationship. If your source is a set of zip files, then the sourcetype will apply to the zip files in their entirety, not their contents.

A possible solution is a triggered script, which unpacks the zip and allows you to then ingest the component files individually as defined sources in their own right.

0 Karma