Archive

How to collect data from directories on remote machine into splunk indexer

Path Finder

Hi,

I have directories residing on D drive on my remote machine.

I have a splunk machine using which I need to collect the data from the directory on D drive on remote machine.

I had installed universal forwarder on the remote machine, but it does not help me to fetch out the information from D drive. I can fetch the data only from the eventlogs of remote machine.

Kindly help!

Thanks & Regards,
Sushma.

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi sushma7,

best is to start reading the docs about Monitor files and directories and on edit inputs.conf. Remember this must all be done on your universal forwarder where your D drive exists.

hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi sushma7,

best is to start reading the docs about Monitor files and directories and on edit inputs.conf. Remember this must all be done on your universal forwarder where your D drive exists.

hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

You're welcome. Now you can show your support and accept the answer and/or upvote it 😉 thx 🙂

0 Karma

Path Finder

Thanks for your support! It worked out....hurray!!!!!

0 Karma

SplunkTrust
SplunkTrust

Yes if you monitor a directory Splunk will read everything in there if you did not set any black/whitelists which you did not 😉

0 Karma

Path Finder

Yep I would, one more query, the directory that i mentioned in the inputs.conf is not a static one, the files in it gets updated for every 4 hours, so it would get updated in splunk as well right?

0 Karma

SplunkTrust
SplunkTrust

check 'index=_internal' for any message related to your universal forwarder

0 Karma

Path Finder

I had restarted the forwarder service from services.msc
Then i logged into the main splunk instance and under the search and reporting app I ran the query sourcetpe = access_combined,because this is what I mentioned in the inputs.conf, but I could not view the data that I intended to monitor.

0 Karma

SplunkTrust
SplunkTrust

Did you restart the universal forwarder after the file change? Can the user running splunk access this directory? What is your issues?

0 Karma

Path Finder

As you have said, I had changed the inputs.conf file on the remote universal forwarder and here is what I did.
1)I want to monitor D:\Test\Testscripts (folder) on remote machine.
2) So i added the following lines on the E:\SplunkUniversalForwarder\etc\system\local\inputs.conf file. The lines are as follows:

[monitor://D:\Test\Testscripts]
disabled = false
sourcetype = access_combined

3) Then I logged into the main splunk instance, now I should be able to view the directory right? I am still facing issues. Still should I make anymore changes?

Can you correct me if i was wrong somewhere.

0 Karma

SplunkTrust
SplunkTrust

yes, in the UI of the indexer you will only see the local directories and files. You must manually edit the inputs.conf on the remote universal forwarder, this tells the forwarder to monitor the data and forward it to the indexer. Nevertheless, you will still not see this D drive in your indexer UI 😉

0 Karma

Path Finder

Thanks for your information!

If i edit the inputs.conf file on the universal forwarder machine. Will I be able to view the D drive of remote machine from the main splunk machine i.e under Files and Directories- Add New option? Generally it shows the drives of the local machine right?

Regards,
Sushma.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!