Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to monitor a remote server data into Splunk from the multiple specific path?

CHAUHAN812
Explorer
‎02-28-2023 03:14 AM

Hello Everyone, 

We are trying to monitor specific local paths on a remote server (Remote01) and send the data to Splunk, either in an existing index or a new one. 
We have installed a Universal Forwarder on the remote server and were able to fetch data from one folder (\\Remote01\e$\Document-DEF\Folder01) under the default index (index=main).
However, we are unable to monitor a second folder (\\Remote01\e$\Document-GHI\Folder02) because the Universal Forwarder setup file only allows for one path. 

We are facing the following challenges and would appreciate any guidance or advice on how to overcome them and successfully monitor both folders on the remote server in Splunk: 

1.    We can't create a new index for the remote server.
2.    We can't get any information from the other folder we want to monitor ('Folder02').
3.    We can't get information from the remote server in the existing index. 

So in short, we can monitor one folder on the remote server Remote01 but unsure how to configure the forwarder to monitor a second folder on the same Remote01 server.

Thanks in advance for your help!

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-28-2023 04:51 AM

https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/MonitorfilesanddirectoriesusingtheCLI

But I would strongly advise reading through all https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/WhatSplunkcanmonitor

Also, please don't use the main index. Create another one(s) depending on your needs but the main index shouldn't really be used in production. It's a default index so typically events from misconfigured inputs go there, it's not meant as an index for production data.

0 Karma
Reply

CHAUHAN812
Explorer
‎02-28-2023 09:51 AM

We have created new index in the Splunk and modifying the input.conf file (\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local) where we have installed the Splunk Forwarder remote server.

Here we have added the newly created index with the new required folder path.

For Example : 

[monitor://T:\New]
index = new1
disabled = false

But it did not work here. 

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
Top