Hello,
I have a question for the property unarchive_cmd. I want to parse a textfile and recombine info to a new Log before indexing data.
props.conf
[source::C:\\Users\\...\\testlog\\...txt]
unarchive_cmd = java -jar LogConverter.jar
The command is never run. Does anybody have any ideas?
I finally got this running on Splunk 6.6.4. The following is required:
invalid_cmd=archive
needs to be included in the source
stanza (not in the sourcetype
stanza as stated in the docs)."C:\Program Files\SplunkUniversalForwarder\..."
impossible to use. I had to change this to C:\Progra~1\SplunkUniversalForwarder\...
to omit both spaces and quotation marks.The only difference of my configuration to the problem stated in the question is that I do not use runnable jar files, so my Java call is java -cp C:\Progra~1\SplunkUniversalForwarder\... CLASS_NAME
.
I have deployed this to a Windows Universal Forwarder that in turn forwards the parsed data to a Linux Heavy Forwarder. On the HF, I perform some additional field extractions from the file name (which is not available for the unarchive_cmd
). So on the UF, props.conf
only contains source
stanzas, and on the HF, props.conf
only contains sourcetype
stanzas.
Same question from my side. I got this running on a Linux universal forwarder, but by a Windows universal forwarder, the command is never run (knowing that because the Java could would otherwise write to a log file).
splunkd.log shows that the archive is processed ("Finishied processing file ..." messages from the ArchiveProcessor), so the "invalid_cause = archive" setting is working.
Made some progress: I now see some warnings of the "ArchiveContext" component:
Command cmd="java -cp "C:\Program Files\SplunkUniversalForwarder\etc\apps\bin.jar" " for archive= failed: exited with code 1.
Need to find out what this is about. My own code does not exit with status code 1 (but rather with 0 or negative numbers).