Hi,
I have the following very simple usecase
-- some logs (these are basically linux logs) are available as a share from a windows machine. Share is mapped to drive Z:
-- universal forwarder installed on this machine and configured to monitor this directory
my relevant part of input.conf looks like this
[monitor://Z:]
recursive = true
disabled = 0
[monitor://Z:\2017\02-09]
disabled = 0
none of them are working and nothing received in Splunk. When I enable eventlog or perfmon sources, these are succesfully indexed
Any idea what's wrong?
Thank you
The answer appears to be permissions and is well-described in the comments.
But I would like to point out another problem: your inputs.conf has overlapping stanzas.
Do not do this! The first stanza monitors the entire Z: directory tree. The second stanza is redundant and should be removed. So your inputs.conf should look like this:
[monitor://Z:]
recursive = true
disabled = 0
So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files
Are you running splunkd on a Windows machine ? If so maybe the service is running in a different user context to you. Have you tried to use the full UNC name of the folder instant of Z: ?
You can get this from issuing a NET USE command on a machine that has the relevant Z: drive. It will look something like "\\ServerName\ShareName".
Good place to start - I can't find my data!
As you are talking about a share: Have you made sure, that your splunk user may access this shared folder?
it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.
So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files
Thank you again
I suppose this is where the dog lied buried. When I copied one of the log from the share to the local disk, it is successfully sent to Splunk, however from the share isn't.
I've changed the user runs splunk forwarder to my domain account and I also made sure the share is accessible using my domain account, but it is still not working. I suppose when I map a drive, it is not visible to forwarder (or any service account), however I can see in the log this
TailingProcessor - Parsing configuration stanza: monitor://Z:.
Any idea?
Thank you
it seems the UNC way is working. At least when I share the files from a windows server. Unfortunately, in my usecase we are sharing from an appliance using Samba and with this there are some access denied errors, but this is not a splunk related issue.
So, the solution: use the UNC path but also make sure the access rights on the share and files set properly, so splunk user can descend into the directories and read the files
Thank you again