Thank you very much for your suggestion and information. I will give a try as soon as I can arrange an windows server to install the UF and share the result.

Yes, my installation is running on a local account. So, as you mentioned I need to install the universal forwarder in another machine in the domain and collect the logs from the file share. I have checked in the istallation of universal forwarder and the use of domain account is available as an option. However, I did not get how and where to mention the file share link/path in the universal forwarder while installing it. Should I mention it in the input.config file as you mentioned in your first response? Please suggest. Thank you once again.

Yes, install it as any normal Universal Forwarder installation except the account name should be the domain account (svc_splunk). It is preferable to install the Universal Forwarder on a Windows machine if your shared directory to monitor is on a Windows Server.

Once the Forwarder is successfully installed open the System\Local folder and edit inputs.conf and paste the following stanza. Replace the parameter values with your desired ones. Restart Splunk and it should start indexing the data in the files.

[monitor://\\xyzglobal.local\Apps\Agent\Dev\logs\Dev\*]
disabled = false
recursive = true
sourcetype = s_type
index = someindex

I have a set of DCs from where i need to monitor the Device logs which is located in a shared path..

I tried entering the below stanzas for each server and DC separately which worked. But when I am trying to standardise this monitoring with a pattern to avoid pushing the configs each time, it did not work. Can you let me know where its going wrong??

[monitor://\\azwvocasp00005\PRDC_DeviceLogs\DeviceLogs]
disabled = 0
recursive = true
sourcetype = Vocollect:DeviceLog
index = rpl_winos_application_prod

Now am trying:

[monitor://\\azwvocasp000*\*DC_DeviceLogs\DeviceLogs]
disabled = 0
recursive = true
sourcetype = Vocollect:DeviceLog
index = rpl_winos_application_prod

Thanks in Advance 🙂

This is a 7 years old thread. You'd get much more visibility if you posted your question as a new thread (possibly dropping in a link to this thread for reference if it's relevant to your case).

Thank you very much for the respond and the solution. I would like have one more clarification on this. With which account I should have read access to file share from the receiver server? I know I will be only permitted to access file share with a domain service account (for example xyzglobal\svc-splunkab). If so, where should I mention that account details at receiver server?

Well, it is the account your Splunk instance is running as. While installing Splunk forwarder/instance it asks whether you want to install it as a domain account or local account. Here you should give the xyzglobal\svc-splunkab account. Unfortunately, it will not work with this method if you have installed Splunk with local system account.
However, you can install a universal forwarder on any domain joined machine with this service account and start monitoring this directory.