I have a python script that read data from the stdin, convert the input and output human readable text to the stdout.
this is my current setup:
inputs.conf
[monitor:///var/account/pacct]
sourcetype = pacct_binary
props.conf
[pacct_binary]
invalid_cause = archive
unarchive_cmd = /opt/splunk/etc/apps/search/bin/pacct.py
I experimented with multiple configurations in inputs.conf and props.conf. No matter what I do I always get the following warning when splunk start and I don't see my sourcetype in splunk web gui.
WARN FileClassifierManager - The file '/var/account/pacct' is invalid. Reason: binary
INFO TailingProcessor - Ignoring file '/var/account/pacct' due to: binary
Anyone can post an exemple of a inputs.conf and props.conf that would let me load this binary file.
Best,
Alex
... View more