Tar.gz

Stun · ‎04-28-2021

Hello,

I push in splunk a tar.gz file named file.tar.gz.
In this tar.gz file I have several files:

file.tar.gz
|
| - filea
| - fileb
| - filec

When splunk consume the tar.gz I loose the file name (I can see only the file.tar.gz file as source field).
the content of filea fileb filec are in the index but not the file name.

I would like to manage the source field with the file name in tar.gz, as following

source:filea instead of file.tar.gz

source:fileb instead of file.tar.gz

source:filec instead of file.tar.gz

Could you please help me please ?

Many thanks.

richgalloway · ‎04-28-2021

IMO, Splunk is showing the correct source. The data it ingested came from file.tar.gz, not filea, fileb, or filec.

I'm not aware of a setting that will change the behavior. Consider extracting the tarball to a directory Splunk is monitoring.

---
If this reply helps you, Karma would be appreciated.

Tar.gz

props.conf

transforms.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation

Tar.gz

props.conf

transforms.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition