Hi Splunkers.
We have an application which roles over logs and renames them to have a .bak extension.

I've been having problems getting Splunk to ingest these.
After some digging, it seems Splunk defaults to ignoring .bak files in a system props.conf file:

[source::...((.(bak|old))|,v|~|#)]
sourcetype = ignored_type

.... which corresponds to the following in the log:

08-23-2019 15:35:01.171 +1000 INFO  TailReader - Ignoring file '[path_redacted]\my_filename-01-etc.bak' due to: ignored_type
08-23-2019 15:35:01.171 +1000 DEBUG TailReader -   Classifier said to not read item=[path_redacted]\my_filename-01-etc.bak, hence ignoring.

I've tried using a props.conf local to the app with the corresponding monitor stanza to reclassify the sourcetype to something other than ignored_type. i.e.:

[source::...(.(bak)]
sourcetype = my_sourcetype

Unfortunately Splunk still assigns it a sourcetype of ignored_type.

Generally this wouldn't be an issue as Splunk would ingest the original file before the system rolls the file over and renaming the file. In this case however, we are trying to pull logs from systems which may already have created the .bak file.

Cheers.