I'm trying to set a custom archive processor. Is this still supported in Splunk 4.1?
The documentation is contradictory. From props.conf.spec, the 2 parameters which both need to be set are invalid_cause and unarchive_cmd . The descriptions say invalid_cause can only be set for a sourcetype stanza, whereas unarchive_cmd can only be set for a source stanza. Is that even possible?
invalid_cause = <string>
* Can only be set for a [<sourcetype>] stanza.
* Splunk does not index any data with invalid_cause set.
* Set <string> to "archive" to send the file to the archive processor (specified in unarchive_cmd).
* Set to any other string to throw an error in the splunkd.log if running Splunklogger in debug mode.
* Defaults to empty.
is_valid = true | false
* Automatically set by invalid_cause.
* DO NOT SET THIS.
* Defaults to true.
unarchive_cmd = <string>
* Only called if invalid_cause is set to "archive". This field is only valid on [source::stanzas].
* <string> specifies the shell command to run to extract an archived source.
* Must be a shell command that takes input on stdin and produces output on stdout.
* Use _auto for Splunk's automatic handling of archive files (tar, tar.gz, tgz, tbz, tbz2, zip)
* Defaults to empty.
I can't get the archive processor to activate. Has anyone does this successfully?
... View more
