I finally got this running on Splunk 6.6.4. The following is required:
invalid_cmd=archive needs to be included in the source stanza (not in the sourcetype stanza as stated in the docs).
The jar archive must be specified with its full absolute path.
However, this file path must not contain spaces nor quotation marks. This makes the standard path of "C:\Program Files\SplunkUniversalForwarder\..." impossible to use. I had to change this to C:\Progra~1\SplunkUniversalForwarder\... to omit both spaces and quotation marks.
The only difference of my configuration to the problem stated in the question is that I do not use runnable jar files, so my Java call is java -cp C:\Progra~1\SplunkUniversalForwarder\... CLASS_NAME .
I have deployed this to a Windows Universal Forwarder that in turn forwards the parsed data to a Linux Heavy Forwarder. On the HF, I perform some additional field extractions from the file name (which is not available for the unarchive_cmd ). So on the UF, props.conf only contains source stanzas, and on the HF, props.conf only contains sourcetype stanzas.
... View more