Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure File/Directory Information Input on UFs?

Spranta
Splunk Employee
Splunk Employee
‎02-27-2018 03:10 AM

Hi all,

we have deployed the file_meta_data app on one of our universal forwarders running on windows 2012R2 because we want to monitor the file size for a specific file.

The inputs.conf looks like this

[file_meta_data://Trendmicro]
file_hash_limit = 300MB
file_path = C:\Program Files\Trend\SProtect\x64\SpntLog\SpntLog.dbf
include_file_hash = 0
index = egg_win_prod_90
interval = 1m
only_if_changed = 0
recurse = 1
sourcetype = File_Metadata
disabled=0

But it's not working and in the Splunkd.log I see the following error:

The file 

2-27-2018 11:34:25.499 +0100 ERROR ModularInputs - Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.
02-27-2018 11:34:25.499 +0100 ERROR ModularInputs - Unable to initialize modular input "file_meta_data"  defined inside the app "file_meta_data": Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.

Has anyone an idea why we are getting this error?

Thanks
Alex

0 Karma
Reply

Spranta
Splunk Employee
Splunk Employee
‎02-27-2018 05:05 AM

Hi FrankVI,

thanks for your answer, thought the latest version is UF ready.
Version 1.3
Sept. 22, 2017
Added support for deploying on Universal Forwarders

Hm 😕

0 Karma
Reply

FrankVl
Ultra Champion
‎02-27-2018 05:24 AM

Yes, and the way he made it UF ready is by allowing the add on to use system python if there is not python available within splunk (as is the case on UF).

So yes: it works with UF, but it still requires python, so since UF doesn't supply python, you need to make sure python is installed separately.

0 Karma
Reply

Spranta
Splunk Employee
Splunk Employee
‎02-27-2018 05:27 AM

Thanks,

is there an app for the python support, just like powershell add on?

Alex

0 Karma
Reply

FrankVl
Ultra Champion
‎02-27-2018 05:40 AM

Don't think so. I think you just need to get the relevant installer from https://www.python.org/downloads/windows/ to install python on that server.

0 Karma
Reply

FrankVl
Ultra Champion
‎02-27-2018 05:01 AM

Universal Forwarders don't come with python (unlike heavy forwarder), so to make this work, you will need to make sure you have a working python installed on the host that is running this UF or use a Heavy Forwarder instead.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...