Hi,
I have installed the Splunk universal forwarder on my machine and I have also mapped on the remote server to this server. In inputs.conf file, I have updated this mapped disk path. Still it is not forwarding the logs. Can anyone help me here? Also, I don't see any error in the splunkd.log file.
inputs.conf file.
[monitor://Y:\Test]
disabled = false
index = Test
sourcetype = VET
Thank you!
Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings.
You can use UNC paths instead, but only if you have machines on the domain (or if matching user accounts on both non-domain machines have the same password).
ie [monitor://\\Server\Volume\File]
check here http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service
For an explanation of a few ways to get this done.
Either way... keep in mind, what you are looking for is "how to map a drive to be used by a service"
Persistent drive mappings for a user are only established for interactive logon sessions, which means that the Splunk service account won't see these mappings.
You can use UNC paths instead, but only if you have machines on the domain (or if matching user accounts on both non-domain machines have the same password).
ie [monitor://\\Server\Volume\File]
check here http://stackoverflow.com/questions/182750/how-to-map-a-network-drive-to-be-used-by-a-service
For an explanation of a few ways to get this done.
Either way... keep in mind, what you are looking for is "how to map a drive to be used by a service"
Something to look at would be whether Splunk can see those files... you can... but can Splunk?
Splunk is running as a particular user. Check services.
see my edited answer. I realize I wasn't completely thinking "windows". sorry. 🙂
Hi ,
If I am having that another machine also in the same domain, then you mean I can directly update the UNC path in inputs.conf file? Also username and password needs to be same in this case also?
Hi ,
I have updated the UNC path in inputs.conf file, still I am not getting the logs in splunk.
Hi ,
My machines are in the same domain, I just wanted to know do I need to configure Universal Forwarder using domain account for this or is it okay to configure with local account?
Can anyone help me on this?
Hi ,
I have checked, service also running fine, it is forwarding other local files to Indexer. I can see below in splunkd.log
,07-30-2015 14:11:35.744 -0400 INFO TailingProcessor - Adding watch on path: Y:\Test\log.
07-30-2015 14:11:35.744 -0400 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).
Thanks!!
so your monitor stanza points at Y:Testlog is that the folder where your files are?
Hi,
Yes, that is my mapped drive name..
See edited Answer... Splunk, running as a service can't see the drive name. UNC is the alternative... caveat mentioned in my answer.
Hi ,
How can I check whether splunk can see it or not? I can see the mapped drive log path in splunk monitor list. can you help me on how to check whether splunk can see it or not?
Hi,
I have the log files under Test folder only. Also I have created new folder under Test and copied some files to there, it is not forwarding it.
Mapped drives / CIF Share have problems. You will see data being forwarded but if there is a network or file lock the forwarder will stop forwarding data.
Hi ,
Can you please tell me how to check is there a network or file lock?
I can access the files manually from that share path.