Support for logs compressed with xz?

hatchmt · ‎06-26-2012

The version of SUSE Linux I'm using has been compressing my logs with xz (by default) rather than gzip or bzip2. As such, when I added the log directory into splunk, there's a large gap where those files couldn't be parsed.

I can go through and unxz all of the logs and use bzip2 to compress them, and change logrotate to use bzip2 instead of xz, but I do like that xz achieves higher compression ratios than bzip2. I'm assuming that the decompression algorithms supported by splunk are hard-coded, but I thought I'd ask if it's something I can modify on my end to add support for that file type.

If not, is this something that is being considered for a future release?

juanlazarosanch · ‎08-22-2018

Hatchmt, were you able to read xz files? If so, what steps did you follow? Thanks!

ichaer_splunk · ‎08-02-2016

You can enable any sort of decompression setting the unarchive_cmd configuration in props.conf for your input. If you want to pick xz files by default, something like this should work:

[source::.../*.xz]
unarchive_cmd = /usr/bin/xz -cd -

If you already have a specific stanza in props.conf for that particular source, you'll need to tweak it.

Support for logs compressed with xz?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!