Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to forward logs to an indexer from a mapped drive using a universal forwarder?

Abilan1
Path Finder
‎07-30-2015 08:37 AM

Hi,

I have installed the Splunk universal forwarder on my machine and I have also mapped on the remote server to this server. In inputs.conf file, I have updated this mapped disk path. Still it is not forwarding the logs. Can anyone help me here? Also, I don't see any error in the splunkd.log file.

inputs.conf file.

[monitor://Y:\Test]
disabled = false
index = Test
sourcetype = VET

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 08:50 AM

Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings.

You can use UNC paths instead, but only if you have machines on the domain (or if matching user accounts on both non-domain machines have the same password).

ie [monitor://\\Server\Volume\File]

check here http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service

For an explanation of a few ways to get this done.

Either way... keep in mind, what you are looking for is "how to map a drive to be used by a service"

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 08:50 AM

Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings.

You can use UNC paths instead, but only if you have machines on the domain (or if matching user accounts on both non-domain machines have the same password).

ie [monitor://\\Server\Volume\File]

check here http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service

For an explanation of a few ways to get this done.

Either way... keep in mind, what you are looking for is "how to map a drive to be used by a service"

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 10:40 AM

Something to look at would be whether Splunk can see those files... you can... but can Splunk?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 10:55 AM

Splunk is running as a particular user. Check services.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 03:09 PM

see my edited answer. I realize I wasn't completely thinking "windows". sorry. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎07-31-2015 10:49 AM

Hi ,

If I am having that another machine also in the same domain, then you mean I can directly update the UNC path in inputs.conf file? Also username and password needs to be same in this case also?

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-03-2015 03:59 AM

Hi ,

I have updated the UNC path in inputs.conf file, still I am not getting the logs in splunk.

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-06-2015 09:45 AM

Hi ,

My machines are in the same domain, I just wanted to know do I need to configure Universal Forwarder using domain account for this or is it okay to configure with local account?

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-06-2015 11:38 PM

Can anyone help me on this?

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎07-30-2015 11:17 AM

Hi ,

I have checked, service also running fine, it is forwarding other local files to Indexer. I can see below in splunkd.log

,07-30-2015 14:11:35.744 -0400 INFO TailingProcessor - Adding watch on path: Y:\Test\log.
07-30-2015 14:11:35.744 -0400 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).

Thanks!!

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 11:56 AM

so your monitor stanza points at Y:Testlog is that the folder where your files are?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎07-30-2015 12:56 PM

Hi,

Yes, that is my mapped drive name..

0 Karma
Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 03:10 PM

See edited Answer... Splunk, running as a service can't see the drive name. UNC is the alternative... caveat mentioned in my answer.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎07-30-2015 10:46 AM

Hi ,

How can I check whether splunk can see it or not? I can see the mapped drive log path in splunk monitor list. can you help me on how to check whether splunk can see it or not?

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎07-30-2015 09:00 AM

Hi,

I have the log files under Test folder only. Also I have created new folder under Test and copied some files to there, it is not forwarding it.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎07-30-2015 09:08 AM

Mapped drives / CIF Share have problems. You will see data being forwarded but if there is a network or file lock the forwarder will stop forwarding data.

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎07-30-2015 09:29 AM

Hi ,

Can you please tell me how to check is there a network or file lock?

I can access the files manually from that share path.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...