Hello,
I push in splunk a tar.gz file named file.tar.gz.
In this tar.gz file I have several files:
file.tar.gz
|
| - filea
| - fileb
| - filec
When splunk consume the tar.gz I loose the file name (I can see only the file.tar.gz file as source field).
the content of filea fileb filec are in the index but not the file name.
I would like to manage the source field with the file name in tar.gz, as following
source:filea instead of file.tar.gz
source:fileb instead of file.tar.gz
source:filec instead of file.tar.gz
Could you please help me please ?
Many thanks.
IMO, Splunk is showing the correct source. The data it ingested came from file.tar.gz, not filea, fileb, or filec.
I'm not aware of a setting that will change the behavior. Consider extracting the tarball to a directory Splunk is monitoring.