Thanks a lot @FrankVI
If I create local drive as suggested then does it will impact performance?
I will test and keep you posted.
thanks.

Hi @FrankVI @gcusello I tried networkdrive like [monitor://Z:\xyz\*.zip] and [monitor://\\abcstorage\xyz\*.zip]
but none of them is working.

@FrankVI @gcusello
Yesterday I kept [monitor://\\abcstorage\xyz\*.zip] this stanza in inputs.conf and till yesterday no data in indexed and when today I checked again and I see that data being indexed which are newly inserted yesterday night probably(its modified date is 10 July).
although there was many files from 9 July as well but none of them got indexed yesterday, although I set ignoreOlderThan = 1d so it will not index these file today ,that's Ok but why they not indexed yesterday?

Good to hear that it started working 🙂

Yesterday was the 10th right? So files from 9th may have already fallen outside scope? I'd just keep an eye on if it now continues working consistently.

Yes Yesterday was 10th and these 10th July files are indexed in splunk ..it may be due to last 24 hours when I created inputs.conf due to which no files got indexed from 9th.
Now I created another input monitoring another folder and included ignoreOlderThan = 1d
But it is not indexing 10 July Files..

I do know from experience that such remote share monitoring is sometimes quite slow to get going (especially if the forwarder is still busy scanning / ingesting other remote folders).

What is the exact creation/modification date/time on those files and what is the system time on these systems? Also not sure how 1d is interpreted, it may not be the same as 24h, it might simply check the dates only.

I checked one file and details are-

Created-Today, ‎July ‎11, ‎2019, ‏‎11 hours ago
Modified-Yesterday, ‎July ‎10, ‎2019, ‏‎2:22:52 AM

isn't it strange that modified is 10 July and Created is 11 July?

I checked modification time of 10 July file which is not being indexed is 10 July 2:22 AM
and Current time 11 July 1:12 PM it seems due to 24 hours are already past it will not index these files 🙂
one question my system time zone is IST and the server whose files are monitored is in different timezone but when I am browsing to that folder via network shared server the modification time it will show will according to my server timezone?

Good question on the time zones. Not sure to be honest. If you have write permissions you could test that.

Any clues in splunkd.log? Is it trying to start monitoring that path?

Hi @adonio @gcusello ,
System has permission and I can view all files from network drive..it is network shared drive and it is not present in same system where splunk is installed. Network>abcstorage>xyz

Hi ips_mandar,
check you date format: if you have dd/mm/yyy probably your Splunk inverted months and days, so you can find your yesterday logs in october.
In this case, you have to fix the timestamp format in props.conf.

Bye.
Giuseppe

there won't be any timestamp issue since yesterday's file got indexed since yesterday's file contain two days back data and it is indexed as per timestamp in the events.
Thanks.