Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Simple example of inputs.conf to monitor a logfile on a remote share

skaboy71
Explorer
‎09-16-2011 10:29 AM

I'v been looking for this but not finding it.

I have this:

[monitor://\\CAD1100092\\shared$\testing.log]
disabled = false 
followTail = 0 
host = CAD1100092

I'm running splunk as a user which has access to this UNC path:

\\cad1100092\\shared$\\testing.log

I want splunk to index it, and I want do this through the inputs.conf file.

I'm using the one in $splunkhome\ect\system\local .

Is this the correct way? Is my syntax correct?

Thanks
Aaron

Tags (2)
Reply

meenuvn
Explorer
‎06-07-2016 07:42 AM

This discussion greatly helped me with forwarding remote logs. Thanks guys.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:02 PM

I edited your orignal question to fix it.

0 Karma
Reply

mikelanghorst
Motivator
‎09-16-2011 11:50 AM

What user is the Splunkd process running as? If it's running as Local System, it won't have access to the remote share.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:01 PM

Ah, I suspect it might be a problem with the $ in the path. If you can get it working in the GUI, take a look at the generated inputs.conf file (should be in $SPLUNK_HOME/etc/apps/search/local, or a correspondin place depending on the app you were in when you created it). Another way to debug will be to look at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ and query the file monitor to see what it thinks it's doing.

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 01:01 PM

I understand that issue. I'm running splunk as a domain user that has access to this location. I already have remote file monitors working which I configured via the gui. I am attempting to learn how to use the inputs.conf instead.

0 Karma
Reply

kdenton
Path Finder
‎09-16-2011 11:10 AM

It seems like in your examples of your inputs.conf file you only have one '\' and you are trying to index a remote log file via UNC. You need two '\'

[monitor://****CAD1100092\shared$\testing.log] <---- add a second '\' as its a UNC
disabled = false
host = CAD1100092
Its still not indexing

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 11:29 AM

sorry ... I have 2 ... the forum software removed one of them ... I'll adjust,

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 10:44 AM

OK changed it to

[monitor://\\CAD1100092\shared$\testing.log]

disabled = false

host = CAD1100092

Its still not indexing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...