Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring of remote directory

sushma7
Path Finder
‎03-13-2014 03:33 AM

Hi Team,

I have installed Universal forwarder on one of the box that I need to monitor.In that machine I want to monitor a particular folder under E drive, say E:\Splunk. The splunk folder has inturn two more directories ftplogs and NPCI. The NPCI inturn has set of directories which inturn has some logs in it. Splunk can monitor only few directories under NPCI but not all, why is it happening so? Need your suggestion.

Thanks in advance for your help!

Regards,
Sushma.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-24-2015 09:04 PM

It is likely that the files contain identical content in important sections and have the same CRC so are being interpreted as the same file (only forward it once):
http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled

You can Salt with the filename with crcSalt= so this will not happen.

0 Karma
Reply

Ayn
Legend
‎03-14-2014 01:46 AM

Please read the troubleshooting tips I gave you.

Reply

sushma7
Path Finder
‎03-13-2014 11:14 PM

Under inputs.conf file i just enetered [monitor:///E:Splunk]
disabled =false
recursive = true
Is thereanything more I need to enter?

0 Karma
Reply

Ayn
Legend
‎03-13-2014 11:05 PM

Have a look at the troubleshooting tips I gave you.

Reply

sushma7
Path Finder
‎03-13-2014 10:27 PM

Kindly someone help me on this

0 Karma
Reply

sushma7
Path Finder
‎03-13-2014 04:05 AM

To be more clear i shall say this way E:\Splunk has 2 folders ftplogs and ncpi. ftplogs has 5 more folders in it say a,b,c,d,e. the folder a has 10 log files in it with names SystemOut_14.03.2014_18.07.01, SystemOut_14.03.2014_18.07.02 like that ....till 18.07.10. But from SPLUNK machine I could just view only the first log file but not the rest, though I gave monitor=[E:\Splunk] under inputs.conf file

0 Karma
Reply

Ayn
Legend
‎03-13-2014 03:55 AM

Impossible to say without more details. General troubleshooting tips: check splunkd.log for errors, use amrit's script at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ to see which file inputs Splunk has and what status they have.

Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...