Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Simple example of inputs.conf to monitor a logfile on a remote share

skaboy71
Explorer
‎09-16-2011 10:29 AM

I'v been looking for this but not finding it.

I have this:

[monitor://\\CAD1100092\\shared$\testing.log]
disabled = false 
followTail = 0 
host = CAD1100092

I'm running splunk as a user which has access to this UNC path:

\\cad1100092\\shared$\\testing.log

I want splunk to index it, and I want do this through the inputs.conf file.

I'm using the one in $splunkhome\ect\system\local .

Is this the correct way? Is my syntax correct?

Thanks
Aaron

Tags (2)
Reply

meenuvn
Explorer
‎06-07-2016 07:42 AM

This discussion greatly helped me with forwarding remote logs. Thanks guys.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:02 PM

I edited your orignal question to fix it.

0 Karma
Reply

mikelanghorst
Motivator
‎09-16-2011 11:50 AM

What user is the Splunkd process running as? If it's running as Local System, it won't have access to the remote share.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:01 PM

Ah, I suspect it might be a problem with the $ in the path. If you can get it working in the GUI, take a look at the generated inputs.conf file (should be in $SPLUNK_HOME/etc/apps/search/local, or a correspondin place depending on the app you were in when you created it). Another way to debug will be to look at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ and query the file monitor to see what it thinks it's doing.

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 01:01 PM

I understand that issue. I'm running splunk as a domain user that has access to this location. I already have remote file monitors working which I configured via the gui. I am attempting to learn how to use the inputs.conf instead.

0 Karma
Reply

kdenton
Path Finder
‎09-16-2011 11:10 AM

It seems like in your examples of your inputs.conf file you only have one '\' and you are trying to index a remote log file via UNC. You need two '\'

[monitor://****CAD1100092\shared$\testing.log] <---- add a second '\' as its a UNC
disabled = false
host = CAD1100092
Its still not indexing

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 11:29 AM

sorry ... I have 2 ... the forum software removed one of them ... I'll adjust,

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 10:44 AM

OK changed it to

[monitor://\\CAD1100092\shared$\testing.log]

disabled = false

host = CAD1100092

Its still not indexing

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top