I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting
But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.
EDIT: Here are two screenshots showing the InputData and the Indexes:
I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.
again, splunkd.log is your friend - check it for errors/messages.
so many things to check ......... so little time 🙂
your right this is done by the VM tools. but a real share on your host should do the job, if the VM is bridged with the hosts network, else it would not see the hosts share.
I think a found another problem: There is no "Documents" Share within the host system. This is all done by VirtualBox' Shared Folders and the guest additions. When I try to setup a share for everyone directly in my Managed Windows 7 Enterprise I can't see it in the guest system. Moreover the link to uwe-sieber.de describes this workaround for XP, does this even work with Win7 and XP togehter?
okay this was maybe my mistake 🙂 read this: http://www.uwe-sieber.de/nullsessionshare.html and you will (I did) learn, this should be done on your host and not the VM. because you try to access the hosts share and not a share of the VM.
I edited the Registry Entry (added "Documents") and restarted Windows. I still get the Tailing Processor-Permissions-Error. What do I have to do concerning the "Named Pipes"?
-> If your application uses Named Pipes and requires null session support.
From the HKEY_LOCAL_MACHINE subtree, go to the following key:
\System \CurrentControlSet \Services \LanmanServer \Parameters \NullSessionPipes
On a new line within the NullSessionShares key, type in the pipe you want to access with a null session.
I may sound stupid now, but I am sill not sure what I have to type. I got "\vboxsrv\Documents\Logauswertungen\Logs\" or "E:\Logauswertungen\Logs\" ("Documents on vboxsrv (E:)") pointing on the same folder. What do I have to type? "Documents", "vboxsrv"? I just don't get it. 😛
I started working on your fix MuS. What do I have to enter in this step? "On a new line within the NullSessionShares key, type in the share you want to access with a null session (for example: "PUBLIC")"
@MuS: This is what I found in the splunkd.log: "08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\14.SystemOut.log' (hint: Incorrect function.).
08-18-2011 09:58:58.894 +0200 WARN TailingProcessor - Insufficient permissions to read file='\VBOXSVR\Documents\Logauswertung\Logs\SystemOut\15.SystemOut.log' (hint: Incorrect function.).
Ayn's tool tip is very handy use it.
but I still think your basic problem is that the service account is not able to access the UNC share - follow this http://support.microsoft.com/kb/124184/ to fix it. this has nothing to do with your filesystem permissions or if you are able to click in explorer and open a log file.
On a related note, this tool could come in handy: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
It lists the state of each input along with descriptions on why some inputs aren't indexed (if any) etc. Really useful!
Except the third one, I don't get it. -> "3.You can also try by making the service as interactive by specifying SERVICE_INTERACTIVE_PROCESS in the servicetype parameter flag of your CreateService() function but this will be limited only till XP as Vista and 7 donot support this feature."
(4) I thought the permissions are granted the second the guest additions in VirtualBox are setup. I can access all of the files in Windows Explorer. No permission issues visible to me. (5) I tried all of the options given here: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service/3821317...