Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

unarchive_cmd with Java on a Windows system

SK8
Explorer
‎11-08-2017 05:10 AM

Hello,
I have a question for the property unarchive_cmd. I want to parse a textfile and recombine info to a new Log before indexing data.

props.conf

[source::C:\\Users\\...\\testlog\\...txt]
unarchive_cmd = java -jar LogConverter.jar

The command is never run. Does anybody have any ideas?

0 Karma
Reply

Martin_Doering
Explorer
‎01-09-2018 06:31 AM

I finally got this running on Splunk 6.6.4. The following is required:

  1. invalid_cmd=archive needs to be included in the source stanza (not in the sourcetype stanza as stated in the docs).
  2. The jar archive must be specified with its full absolute path.
  3. However, this file path must not contain spaces nor quotation marks. This makes the standard path of "C:\Program Files\SplunkUniversalForwarder\..." impossible to use. I had to change this to C:\Progra~1\SplunkUniversalForwarder\... to omit both spaces and quotation marks.

The only difference of my configuration to the problem stated in the question is that I do not use runnable jar files, so my Java call is java -cp C:\Progra~1\SplunkUniversalForwarder\... CLASS_NAME.

I have deployed this to a Windows Universal Forwarder that in turn forwards the parsed data to a Linux Heavy Forwarder. On the HF, I perform some additional field extractions from the file name (which is not available for the unarchive_cmd). So on the UF, props.conf only contains source stanzas, and on the HF, props.conf only contains sourcetype stanzas.

Reply

Martin_Doering
Explorer
‎12-04-2017 05:45 AM

Same question from my side. I got this running on a Linux universal forwarder, but by a Windows universal forwarder, the command is never run (knowing that because the Java could would otherwise write to a log file).

splunkd.log shows that the archive is processed ("Finishied processing file ..." messages from the ArchiveProcessor), so the "invalid_cause = archive" setting is working.

0 Karma
Reply

Martin_Doering
Explorer
‎12-04-2017 06:01 AM

Made some progress: I now see some warnings of the "ArchiveContext" component:
Command cmd="java -cp "C:\Program Files\SplunkUniversalForwarder\etc\apps\bin.jar" " for archive= failed: exited with code 1.

Need to find out what this is about. My own code does not exit with status code 1 (but rather with 0 or negative numbers).

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top