I have a script that pulls wtmp information and saves it to ASCII files but Splunk still insists that my files are binary. In fact, any files I now put in the directory are now considered binary files and cannot be indexed! My config
[monitor:///mylogs/wtmp_logs]
disabled = false
sourcetype = wtmp
crcSalt =
The issue here is the wtmp sourcetype you have defined in the inputs.conf. Splunk will reject the wtmp sourcetype and consider the files binary. Changing the sourcetype to wtmp_log or wtmplogs will solve the issue and allow indexing of files within this directory.
Can i get the script to read wtmp file and converts in ASCII information.
If I recall correctly it was done in python calling the "last" command using subprocess.
See this article for some basic uses for "last".
http://www.linuxnix.com/2012/10/read-view-utmp-wtmp-btmp-file-linuxunix.html
The issue here is the wtmp sourcetype you have defined in the inputs.conf. Splunk will reject the wtmp sourcetype and consider the files binary. Changing the sourcetype to wtmp_log or wtmplogs will solve the issue and allow indexing of files within this directory.