Hi,

Today I encountered a strange thing in Splunk.

I have Splunk 6.4.1 running on a Linux server.

I tried to index a .dat file using a Universal Forwarder (Windows 6.4.1) and see that no data coming in to Splunk. When I checked _internal log, I saw that the problem is:

tail reader ignoring file due to binary

When I configured the UF, in inputs.conf I wrote the sourcetype for this file (let's call it: test_dat_file). In addition, I created props.conf with the appropriate configuration that included NO_BINARY_CHECK = true (to force Splunk to index it).

After a couple of tries, I thought maybe my configuration was not correct, so I copied the file to the Splunk server locally and monitored it (the default sourcetype for Splunk was "known_binary"). I hoped this would work, but unfortunately no.

Sample line in the file:

03/08/2016, 00:00:16:394, ip 10.10.10.10 CRC ERR -> Buffer : sc32425sdfvEOT324dsfsg Error 0

(all the lines are the same)

Maybe someone can help with this issue.

Omer.