Re: Reading AWS s3 gz files without extension in S...

prash · ‎05-24-2023

I am having difficulties to get Splunk to ingest gzipped logs files from an S3 bucket, the files itself do not have extensions and Splunk is reading them as binaries.

I tried archive_cmd to auto, gunzip -c, gzip -d in props.conf with no luck

[source::/xxx/*]

unarchive_cmd = gunzip -c

NO_BINARY_CHECK = true

gunzip -c works in shell, gzip -d doesn't without gz suffix

*using AWS addon

due to the nature of the environment, the files can't be renamed. Anyone experienced this before?

prash · ‎05-24-2023

I did try that, made no difference. As per docs, the unarchive_cmd is only invoked when invalid_cause is specified.

richgalloway · ‎05-24-2023

I noticed the contradiction in the docs. I suggest contacting Splunk Support.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-24-2023

Have you tried adding invalid_cause=archive to the stanza? The docs have conflicting information about it, but it's worth a try.

---
If this reply helps you, Karma would be appreciated.

Reading AWS s3 gz files without extension in Splunk?

props.conf

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Are you a member of the Splunk Community?

Reading AWS s3 gz files without extension in Splunk?

props.conf

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...