Getting Data In

Is it possible to forward logs to an indexer from a mapped drive using a universal forwarder?

Abilan1
Path Finder

Hi,

I have installed the Splunk universal forwarder on my machine and I have also mapped on the remote server to this server. In inputs.conf file, I have updated this mapped disk path. Still it is not forwarding the logs. Can anyone help me here? Also, I don't see any error in the splunkd.log file.

inputs.conf file.

[monitor://Y:\Test]
disabled = false
index = Test
sourcetype = VET

Thank you!

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings.

You can use UNC paths instead, but only if you have machines on the domain (or if matching user accounts on both non-domain machines have the same password).

ie [monitor://\\Server\Volume\File]

check here http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service

For an explanation of a few ways to get this done.

Either way... keep in mind, what you are looking for is "how to map a drive to be used by a service"

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings.

You can use UNC paths instead, but only if you have machines on the domain (or if matching user accounts on both non-domain machines have the same password).

ie [monitor://\\Server\Volume\File]

check here http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service

For an explanation of a few ways to get this done.

Either way... keep in mind, what you are looking for is "how to map a drive to be used by a service"

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

Something to look at would be whether Splunk can see those files... you can... but can Splunk?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Splunk is running as a particular user. Check services.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

see my edited answer. I realize I wasn't completely thinking "windows". sorry. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Abilan1
Path Finder

Hi ,

If I am having that another machine also in the same domain, then you mean I can directly update the UNC path in inputs.conf file? Also username and password needs to be same in this case also?

0 Karma

Abilan1
Path Finder

Hi ,

I have updated the UNC path in inputs.conf file, still I am not getting the logs in splunk.

0 Karma

Abilan1
Path Finder

Hi ,

My machines are in the same domain, I just wanted to know do I need to configure Universal Forwarder using domain account for this or is it okay to configure with local account?

0 Karma

Abilan1
Path Finder

Can anyone help me on this?

0 Karma

Abilan1
Path Finder

Hi ,

I have checked, service also running fine, it is forwarding other local files to Indexer. I can see below in splunkd.log

,07-30-2015 14:11:35.744 -0400 INFO TailingProcessor - Adding watch on path: Y:\Test\log.
07-30-2015 14:11:35.744 -0400 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).

Thanks!!

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

so your monitor stanza points at Y:Testlog is that the folder where your files are?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Abilan1
Path Finder

Hi,

Yes, that is my mapped drive name..

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

See edited Answer... Splunk, running as a service can't see the drive name. UNC is the alternative... caveat mentioned in my answer.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Abilan1
Path Finder

Hi ,

How can I check whether splunk can see it or not? I can see the mapped drive log path in splunk monitor list. can you help me on how to check whether splunk can see it or not?

0 Karma

Abilan1
Path Finder

Hi,

I have the log files under Test folder only. Also I have created new folder under Test and copied some files to there, it is not forwarding it.

0 Karma

bmacias84
Champion

Mapped drives / CIF Share have problems. You will see data being forwarded but if there is a network or file lock the forwarder will stop forwarding data.

0 Karma

Abilan1
Path Finder

Hi ,

Can you please tell me how to check is there a network or file lock?

I can access the files manually from that share path.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!