Splunk Enterprise

Ignoring file due to: binary

mslvrstn
Communicator

A file on my Windows boxes (running the Universal Forwarder) is being ignored because it has some bogus non-ASCII characters in the first few lines. I understand that the way to solve this should be via props.conf:

[my-sourcetype]
NO_BINARY_CHECK = true

but that doesn't seem to work when i configure that on the forwarder.

Someone suggested that this props.conf needs to go on the indexers, but how can that be the case since the message logs on the Forwarder saying it is ignoring the file and so never gets sent to the indexer?

Tags (2)

reedmohn
Communicator

First thought: Did you put it in the right props.conf file? (Sorry, I don't know which one is correct, but I do see that forwarders get cranky if get that stuff wrong...)

0 Karma

Ayn
Legend

Some props.conf settings like NO_BINARY_CHECK are used by Universal and Light forwarders. From
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwardercapabilities

Does not use transforms.conf and does not fully parse incoming data, but the CHARSET, CHECK_FOR_HEADER, NO_BINARY_CHECK, PREFIX_SOURCETYPE, and sourcetype properties from props.conf are used. 

mslvrstn
Communicator

OK, so that explains why it SHOULD work in the forwarders' props.conf, but the real problem is that it doesn't.

I can see NO_BINARY_CHECK in the output of btool props list for my_sourcetype, but when it's restarted, it still logs
08-14-2012 19:46:58.139 +0000 WARN FileClassifierManager - The file 'my_file' is invalid. Reason: binary
08-14-2012 19:46:58.139 +0000 INFO TailingProcessor - Ignoring file 'my_file' due to: binary
for every file.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...