This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
By default, Splunk ignores binary files. However, you can set props.conf to enable consumption of binary files.
You can enable binary file consumption based on source, sourcetype or host in $SPLUNK_HOME/etc/bundles/local/props.conf.
Add the following to props.conf:
[<spec>] NO_BINARY_CHECK = True $ATTRIBUTE = $VALUE
<spec> can be:
$ATTRIBUTE = $VALUE can be any number of additional attribute/value pairs you may wish to set for that <spec>.
[host::robot] NO_BINARY_CHECK = True SHOULD_LINEMERGE = false
This example turns off binary checking for all files the come from host::robot. SHOULD_LINEMERGE = false means Splunk will break events every time it sees a newline.