Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Override the Splunk unarchiver when uplaod tar.gz file

adrienG
Engager
‎10-13-2020 02:36 AM

Hello,

I've got an application that generates an archive file with nested archive files in it.

here is a sample of my file :

 

AppArchive.tar.gz
|_InsideArchive1.tar.gz
  |_InsideInsideArchive1.tar.gz
    |_filetoindex1.csv
|_InsideArchive2.tar.gz
  |_InsideInsideArchive2.tar.gz
    |_filetoindex2.csv

 

When I'm uploading my archive file to Splunk via the web UI, Splunk doesn't seem to find and extract all the files.

I would like to replace the .tar.gz splunk default configuration to make my own unarchive_cmd but it seems like my app config (props.conf) is never called, is there a way to override the splunk system configuration unarchived_cmd (/opt/splunk/etc/system/default/props.conf) with only changing my user app configuration ?

Actually im trying this in my app configuration but it doesn't work and my script(myscript.py) is never called :

 

props.conf : 
[source::...myapp.tar.gz]
invalid_cause = archive
unarchiv_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002

 

Thank you for your help ! 😀

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2020 07:18 AM

The description of the unarchive_cmd setting says it can only be used in a [source::<source>] stanza.  Try these settings.

[myapparchive]
invalid_cause = archive

[source::...myapp.tar.gz]
unarchive_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002
---
If this reply helps you, Karma would be appreciated.
Reply

adrienG
Engager
‎10-13-2020 07:41 AM

Ok, thanks for your help !

I changed my props.conf file.

It seems that the following rule in ${SPLUNK_HOME}/etc/system/default/props.conf is applied before my app rule [source::...myapp.tar.gz] :

[source::....tar(.\d+)?]
unarchive_cmd = _auto
sourcetype = preprocess-tar
NO_BINARY_CHECK = true

Do you know how to bypass this system rule ?

Thank's a lot for your answer 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...