Getting Data In

Monitoring a remote server directory from my workstation

Motivator

Hey,

I am new to Splunk and I have a newbie question 🙂

I have installed Splunk (v.4.1.3) on my workstation choosing the Local System User option. My Splunk instance is able to monitor files stored on my local drives (e.g. C:).

I have read access to log files stored on a remote server but my question is: How can I get my instance of Splunk on my local workstation to monitor the directory on the remote server containing these log files? (My instance of Splunk should be able to index these log files.)

Both the remote server and my workstation have Windows OS. Splunk is not installed on the remote server.

Thanks in advance for your help. Regards, Antoine.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi there,

you can specify a shared directory containing the remote logfiles. The Splunk server must be able to read from this directory.

See also the Documentation:

http://www.splunk.com/base/Documentation/4.1.4/admin/MonitorFilesAndDirectories

Hope that helps!

Cheers

View solution in original post

0 Karma

Explorer

Hi Ant1D

Can you please help me to figure out how can we monitor remote log directroy from my local splunk

For e.g. below directory I have shared to everyone but unable to splunk it using FIles & Directories option

\10.172.139.32\d$\splunk

0 Karma

Explorer

I am getting below error:

04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///10.172.139.32/d$/splunk.
04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Adding watch on path: \10.172.139.32/d$/splunk.
04-19-2018 16:11:07.889 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'
04-19-2018 16:12:07.713 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'

0 Karma

Explorer

hello daniel . can you please share with me how you managed to get it working? I am also trying to access logs on a remote UNIX server but even if I provide the UNC path Splunk is not retrieving the log files on that server.

0 Karma

New Member

When I try to run the Indexer service under a different account, the service crashes. I can only run this service under the Local System account. I've tried this on two different machines with the same results.

0 Karma

Splunk Employee
Splunk Employee

Hi there,

you can specify a shared directory containing the remote logfiles. The Splunk server must be able to read from this directory.

See also the Documentation:

http://www.splunk.com/base/Documentation/4.1.4/admin/MonitorFilesAndDirectories

Hope that helps!

Cheers

View solution in original post

0 Karma

Motivator

I have managed to get it working now. Thanks for your help

0 Karma

Explorer

I have configured below parameters to monitor remote path under "c$\Program Files\Splunk\etc\system\default\inputs.conf" as

[monitor:///10.172.139.32/d$/splunk]
index=lm-uscmit-p-finsvcs

[MonitorNoHandle://10.172.139.32/d$/splunk]
index=lm-uscmit-p-finsvcs

However, I am getting below error after restarting Splunk as:

04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///10.172.139.32/d$/splunk.
04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Adding watch on path: \10.172.139.32/d$/splunk.
04-19-2018 16:11:07.889 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'
04-19-2018 16:12:07.713 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'

0 Karma

Explorer

Hi

Can you please help me to figure out how can we monitor remote log directroy from my local splunk

For e.g. below directory I have shared to everyone but unable to splunk it using FIles & Directories option

\10.172.139.32\d$\splunk

0 Karma

Motivator

I can access the directory of the server from the workstation that Splunk is installed on. What do you mean exactly when you say "running the Splunk Indexer with a SPECIAL ROLE"?

0 Karma

Splunk Employee
Splunk Employee

When you share the directory or mount the drive you have to make sure, that if you are running the Splunk Indexer with a special role, that this role can access the remote drives.
Just login to the system that hosts the Splunk Indexer and try to access the remote drive.
If that works Splunk cann also access the drive.

Cheers,

Christian

0 Karma

Motivator

In the link you gave, it says the following:

  1. Specify the Full path to the file or directory.

To monitor a shared network drive, enter the following: (or \<mypath> on Windows). Make sure Splunk has read access to the mounted drive, as well as to the files you wish to monitor.

How do I ensure that Splunk has read access to this?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!