Getting Data In

How to edit props.conf to collect gz.done files from Blue Coat's proxy FTP server?

daniel_augustyn
Contributor

How to edit props.conf to start collecting gz.done files from Blue Coat's proxy FTP server? Reporter change .gz files to gz.done files. What should I do to start pushing these files via universal forwarder to the indexers.

0 Karma
1 Solution

daniel_augustyn
Contributor

I can't find gzip2 file in the bin folder.

View solution in original post

0 Karma

daniel_augustyn
Contributor

I can't find gzip2 file in the bin folder.

0 Karma

MuS
SplunkTrust
SplunkTrust

Sorry, my Windows not-knowledge got me here. There is no bzip2 shipped with the Windows UF.
I found some powershell command which could do it, but that looks complicated http://stackoverflow.com/questions/17546016/how-can-you-zip-or-unzip-from-the-command-prompt-using-o... other option would be install gzip2 or bzip2 on the UF and use the unarchive_cmd= gzip -d or unarchive_cmd= bzip -d in props.conf

Sorry if this does not answer your question or is helpful.....

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi daniel_augustyn,

on your universal forwarder, check the inputs.conf currently monitoring the path holding the .gz files. Check if there is a whitelist= or a blacklist for this stanza and modify it according to your needs.
See the docs on whitelist or blacklist http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Inputsconf

Hope this helps ...

cheers, MuS

daniel_augustyn
Contributor

How can I start collecting "gz.done" files?

0 Karma

MuS
SplunkTrust
SplunkTrust

check the inputs.conf and verify if those files are blacklisted or not. Also check if there is a whitelist; if so add them to the whitelist regex and they will be monitored (Some times you need to restart the universal forwarder)

0 Karma

daniel_augustyn
Contributor

That's what I have:

[monitor://E:\Server1\BCT-GW-SG\*.done]
sourcetype = bluecoat:proxysg:access:file
disabled = false
index=proxy
0 Karma

daniel_augustyn
Contributor

And it doesn't collect these files.

0 Karma

MuS
SplunkTrust
SplunkTrust

Is the forwarder process able to read those files? permission issue? any errors related to this monitor in splunkd.log?

0 Karma

daniel_augustyn
Contributor

I am just fine with reading .gz files, I can't read gz.done files from the same folder.

0 Karma

daniel_augustyn
Contributor
0 Karma

MuS
SplunkTrust
SplunkTrust

My bad sorry thought this was no longer needed.....yes, try this option unarchive_cmd= in props.conf to tell Splunk how to handle the gz.done file

0 Karma

daniel_augustyn
Contributor

would that work on the Windows box?

0 Karma

MuS
SplunkTrust
SplunkTrust

Well you should find bzip2 in the Splunk bin directory so you should be able to run it.

0 Karma

MuS
SplunkTrust
SplunkTrust

Okay, I must admit my not-knowledge of Windows got me here 🙂
The universal forwarder on Windows does not come with bzip2 and therefore you cannot just use the unarchive_cmd = bzip2 -d option.
I found some powershell command which could do such a thing, but it looks complicated http://stackoverflow.com/questions/17546016/how-can-you-zip-or-unzip-from-the-command-prompt-using-o...
Other option, install gzip or zip on this forwarder and use it in the unarchive_cmd option.

0 Karma

daniel_augustyn
Contributor

I can't find bzip2 in the bin directory, is there a way to threat done like gz files.

0 Karma

daniel_augustyn
Contributor

Would you mind sharing stanza for it?

0 Karma

daniel_augustyn
Contributor

Can you let me know what the stanza should be?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...