Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitoring directory on a remote host
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring directory on a remote host
I am attempting to ingest data from a remote host (Linux) to my Search Head/Indexer host (Windows) via Splunk Web. I am unable to install a Splunk instance on the remote host, so a Forwarder is not a feasible solution. I have seen it suggested in other Splunk>answer threads that one can mount the filesystem of the remote server , although it is not ideal. I mounted the remote server and can successful ingest the data using the Add Data>upload option, but that same data is not visible if I attempt to use Add Data>monitor>Files&Directories for real-time ingestion. Why is the data only visible for Upload and not real-time Monitor? Would changes should I implement to enable this?
Splunk version: 7.0.3
Directory to ingest: mapped to a network drive (S:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original issue was the Select a Source screen reporting the following error "This path does not exist or is not accessible" (not the preview message). I now believe that this was due to me attempting to select a file using a mapped network drive. Switching to UNC path allowed me to complete the Add Data process.
Unfortunately no events from my monitored file (/var/log/messages) are being ingested.
splunkd.log is reporting the following error: WARN FilesystemChangeWatcher - error getting attributes of "\messages: The network path was not found
If I attempted to select index once option (instead of continuously monitoring) I reach the Review step of the Add Data process where a similar error is displayed: unable to open file: path='\messages' error= 'The network path was not found.'
Finally if I attempt to Add Data>upload and point to the same file (\messages) I can successful ingest the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can still use the monitor type input, it just wont show you a preview of the data before ingesting for remote hosts. This is working as intended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original issue was the Select a Source screen reporting the following error "This path does not exist or is not accessible" (not the preview message). I now believe that this was due to me attempting to select a file using a mapped network drive. Switching to UNC path allowed me to complete the Add Data process.
Unfortunately no events from my monitored file (/var/log/messages) are being ingested.
splunkd.log is reporting the following error: WARN FilesystemChangeWatcher - error getting attributes of "\messages: The network path was not found
If I attempted to select index once option (instead of continuously monitoring) I reach the Review step of the Add Data process where a similar error is displayed: unable to open file: path='\messages' error= 'The network path was not found.'
Finally if I attempt to Add Data>upload and point to the same file (\messages) I can successful ingest the file.
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Dashboards: Hiding charts while search is being executed and other uses for tokens
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
