Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to collect data from directories on remote machine into splunk indexer

sushma7
Path Finder
‎01-29-2014 01:09 AM

Hi,

I have directories residing on D drive on my remote machine.

I have a splunk machine using which I need to collect the data from the directory on D drive on remote machine.

I had installed universal forwarder on the remote machine, but it does not help me to fetch out the information from D drive. I can fetch the data only from the eventlogs of remote machine.

Kindly help!

Thanks & Regards,
Sushma.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 01:24 AM

Hi sushma7,

best is to start reading the docs about Monitor files and directories and on edit inputs.conf. Remember this must all be done on your universal forwarder where your D drive exists.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 01:24 AM

Hi sushma7,

best is to start reading the docs about Monitor files and directories and on edit inputs.conf. Remember this must all be done on your universal forwarder where your D drive exists.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 11:30 PM

You're welcome. Now you can show your support and accept the answer and/or upvote it 😉 thx 🙂

0 Karma
Reply
Solved! Jump to solution

sushma7
Path Finder
‎01-29-2014 10:33 PM

Thanks for your support! It worked out....hurray!!!!!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 06:48 AM

Yes if you monitor a directory Splunk will read everything in there if you did not set any black/whitelists which you did not 😉

0 Karma
Reply
Solved! Jump to solution

sushma7
Path Finder
‎01-29-2014 06:43 AM

Yep I would, one more query, the directory that i mentioned in the inputs.conf is not a static one, the files in it gets updated for every 4 hours, so it would get updated in splunk as well right?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 06:33 AM

check 'index=_internal' for any message related to your universal forwarder

0 Karma
Reply
Solved! Jump to solution

sushma7
Path Finder
‎01-29-2014 06:26 AM

I had restarted the forwarder service from services.msc
Then i logged into the main splunk instance and under the search and reporting app I ran the query sourcetpe = access_combined,because this is what I mentioned in the inputs.conf, but I could not view the data that I intended to monitor.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 06:10 AM

Did you restart the universal forwarder after the file change? Can the user running splunk access this directory? What is your issues?

0 Karma
Reply
Solved! Jump to solution

sushma7
Path Finder
‎01-29-2014 06:06 AM

As you have said, I had changed the inputs.conf file on the remote universal forwarder and here is what I did.
1)I want to monitor D:\Test\Testscripts (folder) on remote machine.
2) So i added the following lines on the E:\SplunkUniversalForwarder\etc\system\local\inputs.conf file. The lines are as follows:

[monitor://D:\Test\Testscripts]
disabled = false
sourcetype = access_combined

3) Then I logged into the main splunk instance, now I should be able to view the directory right? I am still facing issues. Still should I make anymore changes?

Can you correct me if i was wrong somewhere.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2014 01:46 AM

yes, in the UI of the indexer you will only see the local directories and files. You must manually edit the inputs.conf on the remote universal forwarder, this tells the forwarder to monitor the data and forward it to the indexer. Nevertheless, you will still not see this D drive in your indexer UI 😉

0 Karma
Reply
Solved! Jump to solution

sushma7
Path Finder
‎01-29-2014 01:38 AM

Thanks for your information!

If i edit the inputs.conf file on the universal forwarder machine. Will I be able to view the D drive of remote machine from the main splunk machine i.e under Files and Directories- Add New option? Generally it shows the drives of the local machine right?

Regards,
Sushma.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...