Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitoring directory on a remote host
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring directory on a remote host
I am attempting to ingest data from a remote host (Linux) to my Search Head/Indexer host (Windows) via Splunk Web. I am unable to install a Splunk instance on the remote host, so a Forwarder is not a feasible solution. I have seen it suggested in other Splunk>answer threads that one can mount the filesystem of the remote server , although it is not ideal. I mounted the remote server and can successful ingest the data using the Add Data>upload option, but that same data is not visible if I attempt to use Add Data>monitor>Files&Directories for real-time ingestion. Why is the data only visible for Upload and not real-time Monitor? Would changes should I implement to enable this?
Splunk version: 7.0.3
Directory to ingest: mapped to a network drive (S:)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original issue was the Select a Source screen reporting the following error "This path does not exist or is not accessible" (not the preview message). I now believe that this was due to me attempting to select a file using a mapped network drive. Switching to UNC path allowed me to complete the Add Data process.
Unfortunately no events from my monitored file (/var/log/messages) are being ingested.
splunkd.log is reporting the following error: WARN FilesystemChangeWatcher - error getting attributes of "\messages: The network path was not found
If I attempted to select index once option (instead of continuously monitoring) I reach the Review step of the Add Data process where a similar error is displayed: unable to open file: path='\messages' error= 'The network path was not found.'
Finally if I attempt to Add Data>upload and point to the same file (\messages) I can successful ingest the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can still use the monitor type input, it just wont show you a preview of the data before ingesting for remote hosts. This is working as intended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original issue was the Select a Source screen reporting the following error "This path does not exist or is not accessible" (not the preview message). I now believe that this was due to me attempting to select a file using a mapped network drive. Switching to UNC path allowed me to complete the Add Data process.
Unfortunately no events from my monitored file (/var/log/messages) are being ingested.
splunkd.log is reporting the following error: WARN FilesystemChangeWatcher - error getting attributes of "\messages: The network path was not found
If I attempted to select index once option (instead of continuously monitoring) I reach the Review step of the Add Data process where a similar error is displayed: unable to open file: path='\messages' error= 'The network path was not found.'
Finally if I attempt to Add Data>upload and point to the same file (\messages) I can successful ingest the file.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
