Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

unarchive_cmd with Java on a Windows system

SK8
Explorer
‎11-08-2017 05:10 AM

Hello,
I have a question for the property unarchive_cmd. I want to parse a textfile and recombine info to a new Log before indexing data.

props.conf

[source::C:\\Users\\...\\testlog\\...txt]
unarchive_cmd = java -jar LogConverter.jar

The command is never run. Does anybody have any ideas?

0 Karma
Reply

Martin_Doering
Explorer
‎01-09-2018 06:31 AM

I finally got this running on Splunk 6.6.4. The following is required:

  1. invalid_cmd=archive needs to be included in the source stanza (not in the sourcetype stanza as stated in the docs).
  2. The jar archive must be specified with its full absolute path.
  3. However, this file path must not contain spaces nor quotation marks. This makes the standard path of "C:\Program Files\SplunkUniversalForwarder\..." impossible to use. I had to change this to C:\Progra~1\SplunkUniversalForwarder\... to omit both spaces and quotation marks.

The only difference of my configuration to the problem stated in the question is that I do not use runnable jar files, so my Java call is java -cp C:\Progra~1\SplunkUniversalForwarder\... CLASS_NAME.

I have deployed this to a Windows Universal Forwarder that in turn forwards the parsed data to a Linux Heavy Forwarder. On the HF, I perform some additional field extractions from the file name (which is not available for the unarchive_cmd). So on the UF, props.conf only contains source stanzas, and on the HF, props.conf only contains sourcetype stanzas.

Reply

Martin_Doering
Explorer
‎12-04-2017 05:45 AM

Same question from my side. I got this running on a Linux universal forwarder, but by a Windows universal forwarder, the command is never run (knowing that because the Java could would otherwise write to a log file).

splunkd.log shows that the archive is processed ("Finishied processing file ..." messages from the ArchiveProcessor), so the "invalid_cause = archive" setting is working.

0 Karma
Reply

Martin_Doering
Explorer
‎12-04-2017 06:01 AM

Made some progress: I now see some warnings of the "ArchiveContext" component:
Command cmd="java -cp "C:\Program Files\SplunkUniversalForwarder\etc\apps\bin.jar" " for archive= failed: exited with code 1.

Need to find out what this is about. My own code does not exit with status code 1 (but rather with 0 or negative numbers).

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...