Getting Data In

File path does not exist

anoopambli
Communicator

I am facing problem with adding a remote file on a windows server. Keep getting 'File path does not exist' error message

I have installed universal forwarder on a windows 2003 64 bit server. Forwarder install was successful and service is running fine.

Splunk indexer is running on a linux server, i am running Add data-Files & Directories wizard to configure a file on that remote windows server, when i enter the path \\servername\d$\test_splunk\Central_wrapper.log.1 i get the error message 'File path does not exist' although path is valid.

How do i fix this?

Thanks in advance.

Tags (1)
0 Karma

anoopambli
Communicator

Issue was fixed after setting followtail to 0. This file was a static one, because of no update coming to it indexer was not showing any details of it. After setting followTail = 0, it started working.

Thank you everyone for the answers...

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

If I understand your garbled part, I think you are trying to index a UNC. \\servername\C$\test_splunk\Central_wrapper.log.1 or something similar perhaps? I would suggest adding the file instead to the etc/system/local/inputs.conf file to the Universal Forwarder on the WINDOWS server. (most likely under C:\Program Files\Splunk\etc\system\local\

http://docs.splunk.com/Documentation/Splunk/5.0/admin/inputsconf

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Please use the backticks (`)around paths, so they don't become garbled. All you should need is:

[monitor://D:\test_splunk]
whitelist = .*
disabled = false
followTail = 1
sourcetype = sitescope

anoopambli
Communicator

Sorry for confusing you guys with my question, I am new to splunk and trying to learn it.

I made this entry in inputs.conf file on the windows server where forwarder is installed,

[monitor://D:\test_splunk*]
disabled = false
followTail = 1
index = default
sourcetype = sitescope

Do i need to do any configuration in the indexer inorder to get this data over there? I could see eventlogs (system and application) of the windows servers on splunk but not this particular file (d:\test_splunk\Central_wrapper.log.1).

0 Karma

Ayn
Legend

Wait, what? If I understand your scenario correctly, you have a Linux host that acts as an indexer and a Windows host where the file you want to monitor exists. Now you're trying to add a monitor for that file on the...Linux indexer? Sorry, it does not work that way. You might want to take the Splunk tutorial.

You should configure the input locally on the forwarder on the Windows server, and have that forwarder configured to send its events to the indexer.

0 Karma