Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring directory on a remote host

madavis1986
New Member
‎07-17-2018 07:15 AM

I am attempting to ingest data from a remote host (Linux) to my Search Head/Indexer host (Windows) via Splunk Web. I am unable to install a Splunk instance on the remote host, so a Forwarder is not a feasible solution. I have seen it suggested in other Splunk>answer threads that one can mount the filesystem of the remote server , although it is not ideal. I mounted the remote server and can successful ingest the data using the Add Data>upload option, but that same data is not visible if I attempt to use Add Data>monitor>Files&Directories for real-time ingestion. Why is the data only visible for Upload and not real-time Monitor? Would changes should I implement to enable this?

Splunk version: 7.0.3
Directory to ingest: mapped to a network drive (S:)

0 Karma
Reply

madavis1986
New Member
‎07-19-2018 08:32 AM

My original issue was the Select a Source screen reporting the following error "This path does not exist or is not accessible" (not the preview message). I now believe that this was due to me attempting to select a file using a mapped network drive. Switching to UNC path allowed me to complete the Add Data process.

Unfortunately no events from my monitored file (/var/log/messages) are being ingested.
splunkd.log is reporting the following error: WARN FilesystemChangeWatcher - error getting attributes of "\messages: The network path was not found

If I attempted to select index once option (instead of continuously monitoring) I reach the Review step of the Add Data process where a similar error is displayed: unable to open file: path='\messages' error= 'The network path was not found.'

Finally if I attempt to Add Data>upload and point to the same file (\messages) I can successful ingest the file.

0 Karma
Reply

CarsonZa
Contributor
‎07-17-2018 09:37 AM

you can still use the monitor type input, it just wont show you a preview of the data before ingesting for remote hosts. This is working as intended.

0 Karma
Reply

madavis1986
New Member
‎07-19-2018 08:33 AM

My original issue was the Select a Source screen reporting the following error "This path does not exist or is not accessible" (not the preview message). I now believe that this was due to me attempting to select a file using a mapped network drive. Switching to UNC path allowed me to complete the Add Data process.

Unfortunately no events from my monitored file (/var/log/messages) are being ingested.
splunkd.log is reporting the following error: WARN FilesystemChangeWatcher - error getting attributes of "\messages: The network path was not found

If I attempted to select index once option (instead of continuously monitoring) I reach the Review step of the Add Data process where a similar error is displayed: unable to open file: path='\messages' error= 'The network path was not found.'

Finally if I attempt to Add Data>upload and point to the same file (\messages) I can successful ingest the file.

0 Karma
Reply
The Latest From the Splunk Community!