Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't index data on network drives in (VirtualBox WinXP SP3)

Katsche
Path Finder
‎08-17-2011 09:08 AM

Hello all,

I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting

\\vboxsrv\documents\Logauswertungen\Logs

But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.

Kind regards

EDIT: Here are two screenshots showing the InputData and the Indexes:

  1. DataInputs
  2. Indexes

I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Katsche
Path Finder
‎08-18-2011 08:33 AM

I will use ubuntu server, this will be my answer to this issue...

View solution in original post

Reply
Solved! Jump to solution

Katsche
Path Finder
‎08-18-2011 01:39 AM

Then let me take the time to check your points: 🙂

(1) We are talking abount >8MB of data, that isn't too small, is it? (2) The log files are *.log and can be opened with Windows' Notepad or Wordpad. (3) We will be talking about a large amount of data and the size of the VM is limited. That's why i am trying to access data on network drives of the host system. It is wokring with folders within the VM without any problems.

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎08-17-2011 10:31 AM

The user account splunkd runs as needs to have read permissions on your UNC share. What user are you running splunkd as? Is it a domain user, or a local user account?

If you are running splunkd as a domain account, grant the appropriate account read access on your share. If it is running as a local user, either open the share up to the builtin "Everyone" principal or configure identical local accounts (same username and password) on both the log server and the splunk VM, then grant this account read access to the share and run splunkd as this account.

Reply
Solved! Jump to solution

Katsche
Path Finder
‎08-18-2011 01:33 AM

I checked the services splunkd and splunkweb in services.msc, they seem to be running in the system account. When I try to change this to the local user the services won't run. I don't get why Splunk can't use the VirtualBox Shared Folder via

\\vboxsrv\...
0 Karma
Reply
Solved! Jump to solution

Katsche
Path Finder
‎08-18-2011 01:33 AM

Let me explain the circumstances first:

  • Splunk is running as local user account (admin without any password) within the guest system
  • The host system is a Managed Windows 7 Enterprise, the user there is within a domain.

  • -> Sounds if we won't establish anything here, I don't think it will be possible to add the VM to the domain.

  • Is there a difference between a VirtualBox Shared Folder through the guest additions and a normal UNC share?

  • I just tried to setup a share for everyone but this share seems to be within the domain and can't be accessed by the guest system at all

0 Karma
Reply
Solved! Jump to solution

Katsche
Path Finder
‎08-17-2011 09:55 AM

No it doesn't because the Windows file sharing is done within the local user and the service runs in the system environment. Splunk isn't even able to see the path. (See my old Thread about that).

0 Karma
Reply
Solved! Jump to solution

gekoner
Communicator
‎08-17-2011 09:35 AM

If you map the drive using Windows file sharing (i.e. using a network drive letter) and specify that in your data input, does it work? (S:\Logs)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...