I have directories residing on D drive on my remote machine.
I have a splunk machine using which I need to collect the data from the directory on D drive on remote machine.
I had installed universal forwarder on the remote machine, but it does not help me to fetch out the information from D drive. I can fetch the data only from the eventlogs of remote machine.
Thanks & Regards,
Thanks for your information!
If i edit the inputs.conf file on the universal forwarder machine. Will I be able to view the D drive of remote machine from the main splunk machine i.e under Files and Directories- Add New option? Generally it shows the drives of the local machine right?
yes, in the UI of the indexer you will only see the local directories and files. You must manually edit the inputs.conf on the remote universal forwarder, this tells the forwarder to monitor the data and forward it to the indexer. Nevertheless, you will still not see this D drive in your indexer UI 😉
As you have said, I had changed the inputs.conf file on the remote universal forwarder and here is what I did.
1)I want to monitor D:\Test\Testscripts (folder) on remote machine.
2) So i added the following lines on the E:\SplunkUniversalForwarder\etc\system\local\inputs.conf file. The lines are as follows:
disabled = false
sourcetype = access_combined
3) Then I logged into the main splunk instance, now I should be able to view the directory right? I am still facing issues. Still should I make anymore changes?
Can you correct me if i was wrong somewhere.
Did you restart the universal forwarder after the file change? Can the user running splunk access this directory? What is your issues?
I had restarted the forwarder service from services.msc
Then i logged into the main splunk instance and under the search and reporting app I ran the query sourcetpe = access_combined,because this is what I mentioned in the inputs.conf, but I could not view the data that I intended to monitor.
Yep I would, one more query, the directory that i mentioned in the inputs.conf is not a static one, the files in it gets updated for every 4 hours, so it would get updated in splunk as well right?
Yes if you monitor a directory Splunk will read everything in there if you did not set any black/whitelists which you did not 😉