Getting Data In

Tar.gz

Stun
New Member

Hello,


I push in splunk a tar.gz file named file.tar.gz.
In this tar.gz file I have several files:

file.tar.gz
   |
   | - filea
   | - fileb
   | - filec

When splunk consume the tar.gz I loose the file name (I can see only the file.tar.gz file as source field).
the content of filea fileb filec are in the index but not the file name.

I would like to manage the source field with the file name in tar.gz, as following


source:filea instead of file.tar.gz

source:fileb instead of file.tar.gz

source:filec instead of file.tar.gz

Could you please help me please ?

Many thanks.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

IMO, Splunk is showing the correct source.  The data it ingested came from file.tar.gz, not filea, fileb, or filec.

I'm not aware of a setting that will change the behavior.  Consider extracting the tarball to a directory Splunk is monitoring.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...