Further to my question the other day about decoding a binary file I finally got it working in Linux!!!
https://answers.splunk.com/answers/548714/unarchive-cmd-for-decoding-binary-file-with-python.html
Problem is when I installed it on Windows it fell in a massive heap. The decoding script still works when I run it manually from a Windows command prompt.
type C:\Splunk\Log_Spool\20170717.evl | C:\Python27\python.exe C:\Temp\TA-customer\bin\decode_evl.py > C:\Splunk\Log_Spool\20170717.evl.decoded
However no matter what combination I put into props.conf it just wont run. Splunk just hoovers up the binary file as is and doesn't even give a warning or error that unarchive_cmd might be wrong.
inputs.conf
[monitor://C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-customer\spool\*.evl]
disabled = 0
index = customer
sourcetype = customer:evl
followTail = 0
props.conf
###################################################
[source::C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-customer\spool\*.evl]
NO_BINARY_CHECK = true
invalid_cause = archive
# This works perfectly in Linux
# unarchive_cmd = /opt/splunk/etc/apps/TA-customer/bin/decode_evl.py
# None of these work in Windows
# unarchive_cmd = C:\Progra~1\SplunkUniversalForwarder\etc\apps\TA-customer\bin\decode_evl.py
# unarchive_cmd = C:\System\Python27\python.exe C:\Progra~1\SplunkUniversalForwarder\etc\apps\TA-customer\bin\decode_evl.py
# unarchive_cmd = C:\\System\\Python27\\python.exe C:\Progra~1\\SplunkUniversalForwarder\\etc\\apps\\TA-customer\\bin\\decode_evl.py
unarchive_cmd = C:\System\Python27\python.exe C:\Progra~1\\SplunkUniversalForwarder\\etc\\apps\\TA-customer\\bin\\decode_evl.py
# unarchive_sourcetype = customer:evl:decoded
# priority = 10
Any help would be appreciated. This is driving me up the wall!!!
So i've used the example you provided and created a binx app using the following and mine works.
inputs.conf
[monitor://C:\program files\splunk\etc\apps\binx\spool\*]
disabled = 0
followTail = 0
host = myhost
index = binx
sourcetype = binx_binary
props.conf
[source::....binx]
invalid_cause = archive
unarchive_cmd = binx.pl
I don't have any sourcetype for binx_binary in my props.conf or NO_BINARY_CHECK
I think you're running into the difference between what Splunk Core (on your Linux system) can do versus what a universal forwarder (on your Windows system) can do.
It didn't on a Heavy Forwarder on Windows either sadly. I was only testing on a Universal Forwarder to try to debug the issue locally.
It may be a typo in the question, but I noticed the Windows file path has doubled backslashes everywhere except at the root. Have you tried "C:\Progra~1\SplunkUniversalForwarder\etc\apps\TA-customer\bin\decode_evl.py"?