Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Ingesting files with a .bak extension

torowa
Path Finder
‎08-22-2019 11:17 PM

Hi Splunkers.
We have an application which roles over logs and renames them to have a .bak extension.

I've been having problems getting Splunk to ingest these.
After some digging, it seems Splunk defaults to ignoring .bak files in a system props.conf file:

[source::...((.(bak|old))|,v|~|#)]
sourcetype = ignored_type

.... which corresponds to the following in the log:

08-23-2019 15:35:01.171 +1000 INFO  TailReader - Ignoring file '[path_redacted]\my_filename-01-etc.bak' due to: ignored_type
08-23-2019 15:35:01.171 +1000 DEBUG TailReader -   Classifier said to not read item=[path_redacted]\my_filename-01-etc.bak, hence ignoring.

I've tried using a props.conf local to the app with the corresponding monitor stanza to reclassify the sourcetype to something other than ignored_type. i.e.:

[source::...(.(bak)]
sourcetype = my_sourcetype

Unfortunately Splunk still assigns it a sourcetype of ignored_type.

Generally this wouldn't be an issue as Splunk would ingest the original file before the system rolls the file over and renaming the file. In this case however, we are trying to pull logs from systems which may already have created the .bak file.

Cheers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...