All Apps and Add-ons
Highlighted

How do I get the File/Directory Information Input app to work with UNC paths?

Champion

The File/Directory Information Input app currently does not work with UNC paths. It returns no data.

How can I get this to work?

0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Champion

@JoelCBennett: here is a new question where I'm going to investigate making the app with UNC paths.

0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Champion

I found that you do not need to escape the path for the input to work (should use "\SERVERNAME\D$\FOLDERNAME\TEXTFILE.txt" not " \\SERVERNAME\D$\FOLDERNAME\TEXTFILE.txt").

In my case, the input ran as the local system account and thus didn't have access to the share. I had to change the account for the Splunkd service to run under a local user's context (this host isn't on a domain) . This worked for me.

0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Champion

The app should work provided that the account that Splunk is running under has access to the path and the app is running on Windows. By default, Splunk installs as a local service account which likely doesn't have access. You can change the account that the service runs under by changing the account using services.msc. Note that the account will need to have access to Splunk's install directory too. If it doesn't, you will see an error in filemetadatamodularinput.log that looks like this:

IOError: [Errno 13] Permission denied: u'C:\\Program Files\\Splunk\\var\\lib\\splunk\\modinputs\\file_meta_data\\6ca8dc8f8956b39f61fb8c69837222ffaa0dae4b5a918cbf130d2284.json'

View solution in original post

0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Engager

Hey Luke. Thanks again for your continued follow-up.

In my case, the account under which the splunk service is running on the indexer is a domain admin. So no permissions issues. Verified that as that account I could access the file.

The Splunk forum is removing your backslashes, so a little hard to see your example. I reverted back to my original pathing, which is a typical UNC path (two leading backslashes, a single backslash between directories).

The filemetadatamodularinput.log has the following errors:

2015-11-17 13:51:13,760 ERROR Execution failed
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1320, in execute
    self.do_run(in_stream, log_exception_and_continue=True)
  File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1220, in do_run
    input_config)
  File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 350, in run
    results, new_latest_time = [self.get_file_data(file_path, logger=self.logger, latest_time=latest_time, must_be_later_than=must_be_later_than, file_hash_limit=file_hash_limit)]
ValueError: need more than 1 value to unpack
0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Champion

Can you try version 1.0.1? That version includes more information when it is unable to access a file (and it won't include that exception). The logs should be more explicit on that version and should help figure out why it thinks it cannot access the files.

0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Engager

Upgraded to 1.0.1. Here is the new error with sensitive data XXXed out. Looks like the error you referenced above, but again I am using a domain admin acct to run the splunk service. Looks almost like it is inserting additional backslashes in the path. Is that supposed to look like that? The path I input in settings does not duplicate backslashes at this point.

2015-11-17 14:51:15,190 INFO Time is later than filter, stmtime=1447374849.7156944, mustbelaterthan=None, path=u'\\SERVERNAME\d$\DIRECTORY\testjcb.txt'
2015-11-17 14:51:15,191 INFO Completed retrieval of file data, count=1, path=\SERVERNAME\d$\DIRECTORY\test
jcb.txt
2015-11-17 14:51:15,193 ERROR Failed to save checkpoint directory
Traceback (most recent call last):
File "D:\Program Files\Splunk\etc\apps\filemetadata\bin\fileinfoapp\modularinput.py", line 1174, in savecheckpointdata
fp = open( self.get
filepath(checkpointdir, stanza), 'w' )
IOError: [Errno 13] Permission denied: u'D:\Program Files\Splunk\var\lib\splunk\modinputs\filemetadata\8851a2e98451016f56fa021e35925b5ee25391303ac5ae3297409334.json'

0 Karma
Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Champion

Yes, the path should look like it has extra back-slashes; this is just how Python prints strings.

The permission denied error indicates that the account doesn't have sufficient access to the Splunk install directory in order to write out the checkpoint file. It might work if you add permission to whatever account you are running Splunk under such that it can read and write to the path:

D:\Program Files\Splunk\var\lib\splunk\modinputs\file_meta_data

There may be other directories it needs access to as well (likely needs the ability to write to other files within Splunk).

Highlighted

Re: How do I get the File/Directory Information Input app to work with UNC paths?

Engager

Even though the splunk service account is already a local admin, I had to add permissions for the filemetadata directory. For whatever reason the app install process does not grant it rights. Works now. Thanks for the guidance, Luke!

0 Karma