I got the problem, that Splunk is not able to index any data which is on the host system. Splunk itself is running as a guest in VirtualBox on Windows XP. I am able to add a monitoring to the host system by selecting
But Splunk won't index these files. Please see My old Thread for further information. Since the other Thread was concerning another issue, I am opining this one.
EDIT: Here are two screenshots showing the InputData and the Indexes:
I think it's interesting that Splunk finds some files (actually there are only 2 files and 1 folder within this directory) but won't index them.
If you map the drive using Windows file sharing (i.e. using a network drive letter) and specify that in your data input, does it work? (S:\Logs)
No it doesn't because the Windows file sharing is done within the local user and the service runs in the system environment. Splunk isn't even able to see the path. (See my old Thread about that).
The user account splunkd runs as needs to have read permissions on your UNC share. What user are you running splunkd as? Is it a domain user, or a local user account?
If you are running splunkd as a domain account, grant the appropriate account read access on your share. If it is running as a local user, either open the share up to the builtin "Everyone" principal or configure identical local accounts (same username and password) on both the log server and the splunk VM, then grant this account read access to the share and run splunkd as this account.
Let me explain the circumstances first:
-> Sounds if we won't establish anything here, I don't think it will be possible to add the VM to the domain.
Is there a difference between a VirtualBox Shared Folder through the guest additions and a normal UNC share?
I just tried to setup a share for everyone but this share seems to be within the domain and can't be accessed by the guest system at all
I checked the services splunkd and splunkweb in services.msc, they seem to be running in the system account. When I try to change this to the local user the services won't run. I don't get why Splunk can't use the VirtualBox Shared Folder via
again, splunkd.log is your friend - check it for errors/messages.
so many things to check ......... so little time 🙂
Then let me take the time to check your points: 🙂
(1) We are talking abount >8MB of data, that isn't too small, is it? (2) The log files are *.log and can be opened with Windows' Notepad or Wordpad. (3) We will be talking about a large amount of data and the size of the VM is limited. That's why i am trying to access data on network drives of the host system. It is wokring with folders within the VM without any problems.
(4) I thought the permissions are granted the second the guest additions in VirtualBox are setup. I can access all of the files in Windows Explorer. No permission issues visible to me. (5) I tried all of the options given here: http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service/3821317...
Except the third one, I don't get it. -> "3.You can also try by making the service as interactive by specifying SERVICEINTERACTIVEPROCESS in the servicetype parameter flag of your CreateService() function but this will be limited only till XP as Vista and 7 donot support this feature."