Getting Data In

Can't index data on network drives in (VirtualBox WinXP SP3)

Path Finder

Hello all,

I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting


But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.

Kind regards

EDIT: Here are two screenshots showing the InputData and the Indexes:

  1. DataInputs
  2. Indexes

I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.

Tags (2)
0 Karma
1 Solution

Path Finder

I will use ubuntu server, this will be my answer to this issue...

View solution in original post

Path Finder

I will use ubuntu server, this will be my answer to this issue...


good choice 🙂

0 Karma


Hi Katsche

again, splunkd.log is your friend - check it for errors/messages.

  • are the log files to small to be indexed?
  • are the log files binary?
  • why don't copy the files locally onto your VM and index them then just to see if this works?
  • like ftk said, are there any permission issues?
  • did you fix the 'service accessing UNC windows' stuff?

so many things to check ......... so little time 🙂

Path Finder

So this bridging seems to be missing. I got a final solution: I will use ubuntu server, Windows XP is dead to me...

0 Karma


your right this is done by the VM tools. but a real share on your host should do the job, if the VM is bridged with the hosts network, else it would not see the hosts share.

0 Karma

Path Finder

I think a found another problem: There is no "Documents" Share within the host system. This is all done by VirtualBox' Shared Folders and the guest additions. When I try to setup a share for everyone directly in my Managed Windows 7 Enterprise I can't see it in the guest system. Moreover the link to describes this workaround for XP, does this even work with Win7 and XP togehter?

0 Karma

Path Finder

I did everything on on the host and guest system, it still won't work.
Maybe this is a error of VirtualBox? I am still getting the permissions error.

0 Karma


okay this was maybe my mistake 🙂 read this: and you will (I did) learn, this should be done on your host and not the VM. because you try to access the hosts share and not a share of the VM.

0 Karma

Path Finder

I edited the Registry Entry (added "Documents") and restarted Windows. I still get the Tailing Processor-Permissions-Error. What do I have to do concerning the "Named Pipes"?

-> If your application uses Named Pipes and requires null session support.

From the HKEY_LOCAL_MACHINE subtree, go to the following key:


On a new line within the NullSessionShares key, type in the pipe you want to access with a null session.

0 Karma


as the share is the first value after the servername, it should be 'Documents' in your case.

Path Finder

I may sound stupid now, but I am sill not sure what I have to type. I got "\vboxsrv\Documents\Logauswertungen\Logs\" or "E:\Logauswertungen\Logs\" ("Documents on vboxsrv (E:)") pointing on the same folder. What do I have to type? "Documents", "vboxsrv"? I just don't get it. 😛

0 Karma



like it says 'type in the share you want to access' so type in the share you want to access.


0 Karma

Path Finder

I started working on your fix MuS. What do I have to enter in this step? "On a new line within the NullSessionShares key, type in the share you want to access with a null session (for example: "PUBLIC")"

0 Karma


here we go: Insufficient permissions!

fix the UNC windows 'bug' and your set 😉

Path Finder

@Ayn: I will check your link and post the results as soon as possible.

0 Karma

Path Finder

@MuS: This is what I found in the splunkd.log: "08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\14.SystemOut.log' (hint: Incorrect function.).
08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\15.SystemOut.log' (hint: Incorrect function.).

0 Karma


Ayn's tool tip is very handy use it.
but I still think your basic problem is that the service account is not able to access the UNC share - follow this to fix it. this has nothing to do with your filesystem permissions or if you are able to click in explorer and open a log file.


On a related note, this tool could come in handy:

It lists the state of each input along with descriptions on why some inputs aren't indexed (if any) etc. Really useful!

Path Finder

Except the third one, I don't get it. -> "3.You can also try by making the service as interactive by specifying SERVICE_INTERACTIVE_PROCESS in the servicetype parameter flag of your CreateService() function but this will be limited only till XP as Vista and 7 donot support this feature."

0 Karma

Path Finder

(4) I thought the permissions are granted the second the guest additions in VirtualBox are setup. I can access all of the files in Windows Explorer. No permission issues visible to me. (5) I tried all of the options given here:

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...