Hello, I develop my own Splunk App for specific file.  These files are archive files with the ".tar.gz" extension and the filename end with "myapp". I make my own props.conf in my App :  [preprocess-myapparchive] invalid_cause = archive is_valid = False LEARN_MODEL = false [source::...myapp.tar.gz] unarchive_cmd = /opt/splunk/etc/apps/myapp/bin/myapp.py NO_BINARY_CKECK = true sourcetype = preprocess-myapparchive priority = 10002   It seems like my [source::...myapp.tar.gz] stanza is never called because Splunk catch the file as .tar.gz and try to uncompress the archive file. How i can bypass the splunk system configuration for .tar.gz files ?  My problem is relative to this post : https://community.splunk.com/t5/Getting-Data-In/ArchiveProcessor-Bypassing-normal-system-local-props-conf/m-p/78002#M15965 but the answer provided is not correct with my needs as I can't modify the /system/local/props.conf file... ... View more

Hello, I've got an application that generates an archive file with nested archive files in it. here is a sample of my file :   AppArchive.tar.gz |_InsideArchive1.tar.gz |_InsideInsideArchive1.tar.gz |_filetoindex1.csv |_InsideArchive2.tar.gz |_InsideInsideArchive2.tar.gz |_filetoindex2.csv   When I'm uploading my archive file to Splunk via the web UI, Splunk doesn't seem to find and extract all the files. I would like to replace the .tar.gz splunk default configuration to make my own unarchive_cmd but it seems like my app config (props.conf) is never called, is there a way to override the splunk system configuration unarchived_cmd (/opt/splunk/etc/system/default/props.conf) with only changing my user app configuration ? Actually im trying this in my app configuration but it doesn't work and my script(myscript.py) is never called :   props.conf : [source::...myapp.tar.gz] invalid_cause = archive unarchiv_cmd = /opt/splunk/etc/apps/myapp/bin/myscript.py NO_BINARY_CHECK = true sourcetype = myapparchive priority = 10002   Thank you for your help ! 😀 ... View more