- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Monitoring of remote directory
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring of remote directory
Hi Team,
I have installed Universal forwarder on one of the box that I need to monitor.In that machine I want to monitor a particular folder under E drive, say E:\Splunk. The splunk folder has inturn two more directories ftplogs and NPCI. The NPCI inturn has set of directories which inturn has some logs in it. Splunk can monitor only few directories under NPCI but not all, why is it happening so? Need your suggestion.
Thanks in advance for your help!
Regards,
Sushma.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is likely that the files contain identical content in important sections and have the same CRC so are being interpreted as the same file (only forward it once):
http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled
You can Salt with the filename with crcSalt= so this will not happen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please read the troubleshooting tips I gave you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under inputs.conf file i just enetered [monitor:///E:Splunk]
disabled =false
recursive = true
Is thereanything more I need to enter?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at the troubleshooting tips I gave you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly someone help me on this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be more clear i shall say this way E:\Splunk has 2 folders ftplogs and ncpi. ftplogs has 5 more folders in it say a,b,c,d,e. the folder a has 10 log files in it with names SystemOut_14.03.2014_18.07.01, SystemOut_14.03.2014_18.07.02 like that ....till 18.07.10. But from SPLUNK machine I could just view only the first log file but not the rest, though I gave monitor=[E:\Splunk] under inputs.conf file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Impossible to say without more details. General troubleshooting tips: check splunkd.log for errors, use amrit's script at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ to see which file inputs Splunk has and what status they have.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
