Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Override the Splunk unarchiver when uplaod tar.gz file

adrienG
Engager
‎10-13-2020 02:36 AM

Hello,

I've got an application that generates an archive file with nested archive files in it.

here is a sample of my file :

 

AppArchive.tar.gz
|_InsideArchive1.tar.gz
  |_InsideInsideArchive1.tar.gz
    |_filetoindex1.csv
|_InsideArchive2.tar.gz
  |_InsideInsideArchive2.tar.gz
    |_filetoindex2.csv

 

When I'm uploading my archive file to Splunk via the web UI, Splunk doesn't seem to find and extract all the files.

I would like to replace the .tar.gz splunk default configuration to make my own unarchive_cmd but it seems like my app config (props.conf) is never called, is there a way to override the splunk system configuration unarchived_cmd (/opt/splunk/etc/system/default/props.conf) with only changing my user app configuration ?

Actually im trying this in my app configuration but it doesn't work and my script(myscript.py) is never called :

 

props.conf : 
[source::...myapp.tar.gz]
invalid_cause = archive
unarchiv_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002

 

Thank you for your help ! 😀

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2020 07:18 AM

The description of the unarchive_cmd setting says it can only be used in a [source::<source>] stanza.  Try these settings.

[myapparchive]
invalid_cause = archive

[source::...myapp.tar.gz]
unarchive_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py
NO_BINARY_CHECK = true
sourcetype = myapparchive
priority = 10002
---
If this reply helps you, Karma would be appreciated.
Reply

adrienG
Engager
‎10-13-2020 07:41 AM

Ok, thanks for your help !

I changed my props.conf file.

It seems that the following rule in ${SPLUNK_HOME}/etc/system/default/props.conf is applied before my app rule [source::...myapp.tar.gz] :

[source::....tar(.\d+)?]
unarchive_cmd = _auto
sourcetype = preprocess-tar
NO_BINARY_CHECK = true

Do you know how to bypass this system rule ?

Thank's a lot for your answer 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...