I setup a data input from a network source. They are IIS logs and they reside on a networked drive. I setup the input to continuously monitor the directory. Splunk is not indexing the data. When I go into the splunkd log I see the following:
WARN FilesystemChangeWatcher - error reading directory "\\Server\inetpub\logs\LogFiles\W3SVC4": The operation completed successfully.
Any ideas on what I have done wrong or what other steps I need to take to get the data to index? Do I need to add entries into local .conf files? When I was building the dashboards I moved some of the log files locally to the splunk system and indexed them, the logs indexed with no issues. Any advice is welcomed.
Does the account that is running Splunk have the domain-level access that is necessary to read directories on a network drive?
That is good - but what user are you signed in as? What user credentials does the Splunk service use?
I can view the logs across the network while remoted into the system with the Splunk installation.