We are looking to check the last date on a log - works great if the log file has data, but if the log has been archived and gets turned into a .gz file, can we read the log file within the .gz?
There are currently no inspectors that can look inside a compressed file. Seems like a possible RFE candidate though?
I’d probably see the logic as something like
files of compressed file "X"
folders of compressed file "X"
It might be a fairly complex implementation depending on how much we limit the compressed formats but it does seem like a valuable type of inspector. The implementation would have to be able to stream the decompression in memory as inspectors are not supposed to change anything on the endpoint.
1 Like
I had a hunch that would be the case, but I wanted to make sure from someone more experienced than I am. Thanks!
You could run an action to extract the data, summarize it into a text file, delete the extracted data, then read that back with relevance.
If the log has the same name on every endpoint where it exists, you could extract just that specific file(In case the .gz file contains more files), with something like:
tar -zxvf “tar filename” “file you want to extract”
And then do what @jgstew said.
It doesn’t have to have the same name, you can get that dynamically with relevance in most cases. It doesn’t even have to be in the same named folder, it just has to be in a similar location with similar enough names that they can be determined dynamically.