Splunk Search

Ingesting files with a .bak extension

torowa
Path Finder

Hi Splunkers.
We have an application which roles over logs and renames them to have a .bak extension.

I've been having problems getting Splunk to ingest these.
After some digging, it seems Splunk defaults to ignoring .bak files in a system props.conf file:

[source::...((.(bak|old))|,v|~|#)]
sourcetype = ignored_type

.... which corresponds to the following in the log:

08-23-2019 15:35:01.171 +1000 INFO  TailReader - Ignoring file '[path_redacted]\my_filename-01-etc.bak' due to: ignored_type
08-23-2019 15:35:01.171 +1000 DEBUG TailReader -   Classifier said to not read item=[path_redacted]\my_filename-01-etc.bak, hence ignoring.

I've tried using a props.conf local to the app with the corresponding monitor stanza to reclassify the sourcetype to something other than ignored_type. i.e.:

[source::...(.(bak)]
sourcetype = my_sourcetype

Unfortunately Splunk still assigns it a sourcetype of ignored_type.

Generally this wouldn't be an issue as Splunk would ingest the original file before the system rolls the file over and renaming the file. In this case however, we are trying to pull logs from systems which may already have created the .bak file.

Cheers.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...