Hello,
I've got an application that generates an archive file with nested archive files in it.
here is a sample of my file :
AppArchive.tar.gz
|_InsideArchive1.tar.gz
|_InsideInsideArchive1.tar.gz
|_filetoindex1.csv
|_InsideArchive2.tar.gz
|_InsideInsideArchive2.tar.gz
|_filetoindex2.csv
When I'm uploading my archive file to Splunk via the web UI, Splunk doesn't seem to find and extract all the files.
I would like to replace the .tar.gz splunk default configuration to make my own unarchive_cmd but it seems like my app config (props.conf) is never called, is there a way to override the splunk system configuration unarchived_cmd (/opt/splunk/etc/system/default/props.conf) with only changing my user app configuration ?
Actually im trying this in my app configuration but it doesn't work and my script(myscript.py) is never called :
props.conf :
[source::...myapp.tar.gz]
invalid_cause = archive
unarchiv_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002
Thank you for your help ! 😀
The description of the unarchive_cmd setting says it can only be used in a [source::<source>] stanza. Try these settings.
[myapparchive]
invalid_cause = archive
[source::...myapp.tar.gz]
unarchive_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002
Ok, thanks for your help !
I changed my props.conf file.
It seems that the following rule in ${SPLUNK_HOME}/etc/system/default/props.conf is applied before my app rule [source::...myapp.tar.gz] :
[source::....tar(.\d+)?]
unarchive_cmd = _auto
sourcetype = preprocess-tar
NO_BINARY_CHECK = true
Do you know how to bypass this system rule ?
Thank's a lot for your answer 😀