Getting Data In

Will Splunk ingest a TAR file with a .diag extension?

dbcase
Motivator

Hi,

I know Splunk will injest a TAR (and other types) file, my question is what if the file extension is NOT *.tar or *.TGZ? In this case the extension is *.diag and there will be 200+ individual files per day so manually renaming them isn't a viable option.

0 Karma
1 Solution

DarthDMader
Explorer

Hi

uncompressed tar files with suffix .diag are working
compressed tar files with suffix .diag are NOT working

following error message occurs in splunkd.log when it's gziped:
11-10-2016 09:50:12.793 +0100 WARN FileClassifierManager - The file '/opt/splunk/blub.diag' is invalid. Reason: binary

Kind Regards
Darth

View solution in original post

0 Karma

DarthDMader
Explorer

Hi

uncompressed tar files with suffix .diag are working
compressed tar files with suffix .diag are NOT working

following error message occurs in splunkd.log when it's gziped:
11-10-2016 09:50:12.793 +0100 WARN FileClassifierManager - The file '/opt/splunk/blub.diag' is invalid. Reason: binary

Kind Regards
Darth

0 Karma

dbcase
Motivator

Sorry I should have been more clear. The *.diag file is a tar file, it just doesn't have the tar extension.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...