@JoelCBennett: here is a new question where I'm going to investigate making the app with UNC paths.
I found that you do not need to escape the path for the input to work (should use "\SERVERNAME\D$\FOLDERNAME\TEXTFILE.txt" not " \\SERVERNAME\D$\FOLDERNAME\TEXTFILE.txt").
In my case, the input ran as the local system account and thus didn't have access to the share. I had to change the account for the Splunkd service to run under a local user's context (this host isn't on a domain) . This worked for me.
The app should work provided that the account that Splunk is running under has access to the path and the app is running on Windows. By default, Splunk installs as a local service account which likely doesn't have access. You can change the account that the service runs under by changing the account using services.msc. Note that the account will need to have access to Splunk's install directory too. If it doesn't, you will see an error in filemetadatamodularinput.log that looks like this:
IOError: [Errno 13] Permission denied: u'C:\\Program Files\\Splunk\\var\\lib\\splunk\\modinputs\\file_meta_data\\6ca8dc8f8956b39f61fb8c69837222ffaa0dae4b5a918cbf130d2284.json'
Hey Luke. Thanks again for your continued follow-up.
In my case, the account under which the splunk service is running on the indexer is a domain admin. So no permissions issues. Verified that as that account I could access the file.
The Splunk forum is removing your backslashes, so a little hard to see your example. I reverted back to my original pathing, which is a typical UNC path (two leading backslashes, a single backslash between directories).
The filemetadatamodularinput.log has the following errors:
2015-11-17 13:51:13,760 ERROR Execution failed Traceback (most recent call last): File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1320, in execute self.do_run(in_stream, log_exception_and_continue=True) File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1220, in do_run input_config) File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 350, in run results, new_latest_time = [self.get_file_data(file_path, logger=self.logger, latest_time=latest_time, must_be_later_than=must_be_later_than, file_hash_limit=file_hash_limit)] ValueError: need more than 1 value to unpack
Can you try version 1.0.1? That version includes more information when it is unable to access a file (and it won't include that exception). The logs should be more explicit on that version and should help figure out why it thinks it cannot access the files.
Upgraded to 1.0.1. Here is the new error with sensitive data XXXed out. Looks like the error you referenced above, but again I am using a domain admin acct to run the splunk service. Looks almost like it is inserting additional backslashes in the path. Is that supposed to look like that? The path I input in settings does not duplicate backslashes at this point.
2015-11-17 14:51:15,190 INFO Time is later than filter, stmtime=1447374849.7156944, mustbelaterthan=None, path=u'\\SERVERNAME\d$\DIRECTORY\testjcb.txt'
2015-11-17 14:51:15,191 INFO Completed retrieval of file data, count=1, path=\SERVERNAME\d$\DIRECTORY\testjcb.txt
2015-11-17 14:51:15,193 ERROR Failed to save checkpoint directory
Traceback (most recent call last):
File "D:\Program Files\Splunk\etc\apps\filemetadata\bin\fileinfoapp\modularinput.py", line 1174, in savecheckpointdata
fp = open( self.getfilepath(checkpointdir, stanza), 'w' )
IOError: [Errno 13] Permission denied: u'D:\Program Files\Splunk\var\lib\splunk\modinputs\filemetadata\8851a2e98451016f56fa021e35925b5ee25391303ac5ae3297409334.json'
Yes, the path should look like it has extra back-slashes; this is just how Python prints strings.
The permission denied error indicates that the account doesn't have sufficient access to the Splunk install directory in order to write out the checkpoint file. It might work if you add permission to whatever account you are running Splunk under such that it can read and write to the path:
There may be other directories it needs access to as well (likely needs the ability to write to other files within Splunk).
Even though the splunk service account is already a local admin, I had to add permissions for the filemetadata directory. For whatever reason the app install process does not grant it rights. Works now. Thanks for the guidance, Luke!