Dear community,
I have a massive issue with a (single hosted) Splunk installation reading files from a local drive/ UNC paths: Splunk does not read these files and doesn't show them as "available" in the Files & directories config page:
The splunkd service which is running on WIndows 2016 is configured with a local administrator user who has also full permissions on the local drives/ permissions on the UNC paths. I have checked the access logging on with this technical user to the machine and opening the paths.
There is also no Virus Scanner blocking Splunk (verified with procmon). The stanzas look as follows (and have always worked for other customers and for this one some time ago):
and
I searched through the logs but couldn't find something really useful. The log states no issue with the file watch:
Since I'm really desperate, I also tried adding the following without success:
- crcSalt = <SOURCE>
- alwaysOpenFile = 1
Any ideas? Would be much appreciated. If I can't resolve it like this, I will have to try reinstalling spunk from scratch moving the configuration to the vanilla installation to see if it works in the new installation.
thanks
mading