Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Override the Splunk unarchiver when uplaod tar.gz file

adrienG
Engager
‎10-13-2020 02:36 AM

Hello,

I've got an application that generates an archive file with nested archive files in it.

here is a sample of my file :

 

AppArchive.tar.gz
|_InsideArchive1.tar.gz
  |_InsideInsideArchive1.tar.gz
    |_filetoindex1.csv
|_InsideArchive2.tar.gz
  |_InsideInsideArchive2.tar.gz
    |_filetoindex2.csv

 

When I'm uploading my archive file to Splunk via the web UI, Splunk doesn't seem to find and extract all the files.

I would like to replace the .tar.gz splunk default configuration to make my own unarchive_cmd but it seems like my app config (props.conf) is never called, is there a way to override the splunk system configuration unarchived_cmd (/opt/splunk/etc/system/default/props.conf) with only changing my user app configuration ?

Actually im trying this in my app configuration but it doesn't work and my script(myscript.py) is never called :

 

props.conf : 
[source::...myapp.tar.gz]
invalid_cause = archive
unarchiv_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002

 

Thank you for your help ! 😀

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2020 07:18 AM

The description of the unarchive_cmd setting says it can only be used in a [source::<source>] stanza.  Try these settings.

[myapparchive]
invalid_cause = archive

[source::...myapp.tar.gz]
unarchive_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002
---
If this reply helps you, Karma would be appreciated.
Reply

adrienG
Engager
‎10-13-2020 07:41 AM

Ok, thanks for your help !

I changed my props.conf file.

It seems that the following rule in ${SPLUNK_HOME}/etc/system/default/props.conf is applied before my app rule [source::...myapp.tar.gz] :

[source::....tar(.\d+)?]
unarchive_cmd = _auto
sourcetype = preprocess-tar
NO_BINARY_CHECK = true

Do you know how to bypass this system rule ?

Thank's a lot for your answer 😀

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...