Solved: File/Directory Information Input: When importing a...

BMacher · ‎02-27-2017

Hello fellow Splunkies,

I get data into Splunk by monitoring a directory for changes. If I insert an archive (.zip) of about 10 MB the data, it is not imported correctly --> no time stamps + unreadable text. I think the problem might be that Splunk starts the import immediately by unzipping the archive. Since it is not fully copied it fails and Splunk handles the file like binary code.

Does anyone know a solution?

woodcock · ‎02-28-2017

Here is the best way. Modify the inputs.conf to add a blicklist for *.zippart
Then have the software that copies the files over, first rename the source file from *.zip to *.zippart, then copy it, then name it back.
If this cannot be done, then you can do something like this:
https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html

View solution in original post

BMacher · ‎03-01-2017

I found a better solution myself. Add *.filepart$ to the inputs blacklist. If you transfer files per WinSCP make sure you use SFTP.

woodcock · ‎02-28-2017

Here is the best way. Modify the inputs.conf to add a blicklist for *.zippart
Then have the software that copies the files over, first rename the source file from *.zip to *.zippart, then copy it, then name it back.
If this cannot be done, then you can do something like this:
https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html

File/Directory Information Input: When importing a .zip archive, why are there no timestamps or readable text?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases