I am trying to make a Splunk index a zipped file that is generated every hour. I use the batch method in order to destroy the file once it has been dealt with however i do not want Splunk to read the contents of the file but rather just index the actual zipped information for archival purposes. Then if i require it in the future i can extract it at a later date. I have looked into the props.conf (invalid_cause) method but it seems to extract the zipped file before indexing or not at all (errors). Does anyone have experience or advice with this?
... View more