Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Simple example of inputs.conf to monitor a logfile on a remote share

skaboy71
Explorer
‎09-16-2011 10:29 AM

I'v been looking for this but not finding it.

I have this:

[monitor://\\CAD1100092\\shared$\testing.log]
disabled = false 
followTail = 0 
host = CAD1100092

I'm running splunk as a user which has access to this UNC path:

\\cad1100092\\shared$\\testing.log

I want splunk to index it, and I want do this through the inputs.conf file.

I'm using the one in $splunkhome\ect\system\local .

Is this the correct way? Is my syntax correct?

Thanks
Aaron

Tags (2)
Reply

meenuvn
Explorer
‎06-07-2016 07:42 AM

This discussion greatly helped me with forwarding remote logs. Thanks guys.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:02 PM

I edited your orignal question to fix it.

0 Karma
Reply

mikelanghorst
Motivator
‎09-16-2011 11:50 AM

What user is the Splunkd process running as? If it's running as Local System, it won't have access to the remote share.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:01 PM

Ah, I suspect it might be a problem with the $ in the path. If you can get it working in the GUI, take a look at the generated inputs.conf file (should be in $SPLUNK_HOME/etc/apps/search/local, or a correspondin place depending on the app you were in when you created it). Another way to debug will be to look at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ and query the file monitor to see what it thinks it's doing.

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 01:01 PM

I understand that issue. I'm running splunk as a domain user that has access to this location. I already have remote file monitors working which I configured via the gui. I am attempting to learn how to use the inputs.conf instead.

0 Karma
Reply

kdenton
Path Finder
‎09-16-2011 11:10 AM

It seems like in your examples of your inputs.conf file you only have one '\' and you are trying to index a remote log file via UNC. You need two '\'

[monitor://****CAD1100092\shared$\testing.log] <---- add a second '\' as its a UNC
disabled = false
host = CAD1100092
Its still not indexing

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 11:29 AM

sorry ... I have 2 ... the forum software removed one of them ... I'll adjust,

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 10:44 AM

OK changed it to

[monitor://\\CAD1100092\shared$\testing.log]

disabled = false

host = CAD1100092

Its still not indexing

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top