Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Simple example of inputs.conf to monitor a logfile on a remote share

skaboy71
Explorer
‎09-16-2011 10:29 AM

I'v been looking for this but not finding it.

I have this:

[monitor://\\CAD1100092\\shared$\testing.log]
disabled = false 
followTail = 0 
host = CAD1100092

I'm running splunk as a user which has access to this UNC path:

\\cad1100092\\shared$\\testing.log

I want splunk to index it, and I want do this through the inputs.conf file.

I'm using the one in $splunkhome\ect\system\local .

Is this the correct way? Is my syntax correct?

Thanks
Aaron

Tags (2)
Reply

meenuvn
Explorer
‎06-07-2016 07:42 AM

This discussion greatly helped me with forwarding remote logs. Thanks guys.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:02 PM

I edited your orignal question to fix it.

0 Karma
Reply

mikelanghorst
Motivator
‎09-16-2011 11:50 AM

What user is the Splunkd process running as? If it's running as Local System, it won't have access to the remote share.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-16-2011 05:01 PM

Ah, I suspect it might be a problem with the $ in the path. If you can get it working in the GUI, take a look at the generated inputs.conf file (should be in $SPLUNK_HOME/etc/apps/search/local, or a correspondin place depending on the app you were in when you created it). Another way to debug will be to look at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ and query the file monitor to see what it thinks it's doing.

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 01:01 PM

I understand that issue. I'm running splunk as a domain user that has access to this location. I already have remote file monitors working which I configured via the gui. I am attempting to learn how to use the inputs.conf instead.

0 Karma
Reply

kdenton
Path Finder
‎09-16-2011 11:10 AM

It seems like in your examples of your inputs.conf file you only have one '\' and you are trying to index a remote log file via UNC. You need two '\'

[monitor://****CAD1100092\shared$\testing.log] <---- add a second '\' as its a UNC
disabled = false
host = CAD1100092
Its still not indexing

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 11:29 AM

sorry ... I have 2 ... the forum software removed one of them ... I'll adjust,

0 Karma
Reply

skaboy71
Explorer
‎09-16-2011 10:44 AM

OK changed it to

[monitor://\\CAD1100092\shared$\testing.log]

disabled = false

host = CAD1100092

Its still not indexing

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...