i'm trying to implement a custom Charset-Decoder for an udp input. I'm using the following settings in props.conf:
[source::udp:515] sourcetype=my_sourcetype unarchive_cmd=/usr/bin/perl $SPLUNK_HOME/etc/apps/foo/bin/decode.pl [my_sourcetype] invalid_cause = archive
However this doesn't work. The incoming network data won't be processed by my decode-script. Is my splunk configuration correct?
I also tried other variations of the configuration, like putting unarchive_cmd in the sourcetype-stanza. But they all won't work.
I can't see any words in the documentation of unarchive_cmd and invalid_cause why this isn't supposed to work.
I restarted splunk after changing the configuration files.
I think the unarchive_cmd simply won't work on network inputs.
The sourcetype is set correctly, so i don't think there is a problem with that.
I see, i massively use unarchive_cmd in my App (http://apps.splunk.com/app/1753/) to decode nmon data through party converter (initially Perl then Python) you may sometimes fight with it 🙂
I mean i think your stanza does not match (like some kind of regex that will not match a pattern), but as it is, it's seems correct.
I guess you've reloaded Splunk after each setting change ?
Sorry, i don't understand that.
My data appears in splunk with source=udp:515 and sourcetype=my_sourcetype. The data in splunk is undecoded (shows up in a hex format \xF1\xF2\xF3...). The unarchive_cmd isn't working.
unarchice_cmd and invalid_cause are listed under the source stanza in props.conf:
invalid_cause = archive
@HansWurscht: If you have the data undecoded, then for sure your stanza is not matched, whatever you will change in configuration this won't change.
When you achieve a search against your data like "| stats by source" what is the source reported by splunk ?
Thanks for the answers.
The data appears in splunk, just the decoding part won't work.
1. the perl-Script will read from STDIN and print to STDOUT
2. no coressponding entries in splunkd.log. I could increase the debugging level
3. I added the NO_BINARY_CHECK=true to the source stanza in props.conf. But this doesn't change anything 😕
4. I moved invalied_cause from [my_sourcetype] to [source::udp:515] but this also didn't change the behaviour 😕
My data is coming to UDP 515. I'm testing with netcat:
cat /tmp/binary_to_splunk | netcat -u splunk.home.lan 515
Hi, I have no experience with using unarchive_cmd within UDP flow, but i do with unarchive_cmd itself.