The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: How to override binary file check for log files

Previous Topic: How to delete a WMI Collection Name?? | Next Topic: os

Posts 1–3 of 3

posted by: glennsinclair | posts
date: February 5, 2010
permalink

Hi,

We have a number of application log files that contain "special" characters, that is, control characters such as ^A, ^B etc. that show up when the files are opened with vi. These are embedded within normal text, which makes up the vast majority of the file.

Splunk's FileClassifierManager is deciding that these are invalid files, because it thinks they are binary. From the splunkd.log on the Light Forwarder:

02-05-2010 16:03:07.983 WARN FileClassifierManager - Invalid file: /var/IGWork/L2AutoHedge/log/mq-order-gateway.log, reason: binary.

This is a linux host btw.

Is there a way to override this on the LightForwarder so that it accepts the file for monitoring?

Thanks,

Glenn

posted by: gkanapathy | posts
date: February 7, 2010
permalink

Yes, set

NO_BINARY_CHECK = true

in a [source::...] stanza in props.conf. Your [source::...] must of course match the file, e.g.

[source::...mq-order-gateway.log]
NO_BINARY_CHECK = true

posted by: glennsinclair | posts
date: February 9, 2010
permalink

Thanks. I knew it would be easy!

Forums: SplunkAdministration: How to override binary file check for log files

Description:

Permalink:

Splunk.com

Product:

Solutions:

Industries:

Partners:

About_us:

Support:

Services:

Videos

Download