Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

unarchive_cmd with Java on a Windows system

SK8
Explorer
‎11-08-2017 05:10 AM

Hello,
I have a question for the property unarchive_cmd. I want to parse a textfile and recombine info to a new Log before indexing data.

props.conf

[source::C:\\Users\\...\\testlog\\...txt]
unarchive_cmd = java -jar LogConverter.jar

The command is never run. Does anybody have any ideas?

0 Karma
Reply

Martin_Doering
Explorer
‎01-09-2018 06:31 AM

I finally got this running on Splunk 6.6.4. The following is required:

  1. invalid_cmd=archive needs to be included in the source stanza (not in the sourcetype stanza as stated in the docs).
  2. The jar archive must be specified with its full absolute path.
  3. However, this file path must not contain spaces nor quotation marks. This makes the standard path of "C:\Program Files\SplunkUniversalForwarder\..." impossible to use. I had to change this to C:\Progra~1\SplunkUniversalForwarder\... to omit both spaces and quotation marks.

The only difference of my configuration to the problem stated in the question is that I do not use runnable jar files, so my Java call is java -cp C:\Progra~1\SplunkUniversalForwarder\... CLASS_NAME.

I have deployed this to a Windows Universal Forwarder that in turn forwards the parsed data to a Linux Heavy Forwarder. On the HF, I perform some additional field extractions from the file name (which is not available for the unarchive_cmd). So on the UF, props.conf only contains source stanzas, and on the HF, props.conf only contains sourcetype stanzas.

Reply

Martin_Doering
Explorer
‎12-04-2017 05:45 AM

Same question from my side. I got this running on a Linux universal forwarder, but by a Windows universal forwarder, the command is never run (knowing that because the Java could would otherwise write to a log file).

splunkd.log shows that the archive is processed ("Finishied processing file ..." messages from the ArchiveProcessor), so the "invalid_cause = archive" setting is working.

0 Karma
Reply

Martin_Doering
Explorer
‎12-04-2017 06:01 AM

Made some progress: I now see some warnings of the "ArchiveContext" component:
Command cmd="java -cp "C:\Program Files\SplunkUniversalForwarder\etc\apps\bin.jar" " for archive= failed: exited with code 1.

Need to find out what this is about. My own code does not exit with status code 1 (but rather with 0 or negative numbers).

0 Karma
Reply
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...