Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't collect data from file on windows host

Alex_Rus
Loves-to-Learn Lots
‎10-14-2024 08:06 AM

My Splunk installation can't read files from windows host from a specific folder on the C:// drive. Logs are collected from another folder without problems. There are no errors in index _internal, stanza in inputs.conf looks standard, monitor on the folder and the path are specified correctly. The rights to the folder and files are system ones, as are other files that we can collect. What could be the problem?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2024 11:31 PM

Hi @Alex_Rus ,

if you're sure about grants, please, could your share your inputs.conf and the full path of the unread files?

Ciao.

Giuseppe

0 Karma
Reply

Alex_Rus
Loves-to-Learn Lots
‎10-15-2024 01:11 AM

Hi, @gcusello !

[monitor://C:\ExchData\MessageTracking\*]

disabled = 0

index = MyIndex

sourcetype = MySourcetype

#FcrcSalt = <SOURCE

1000014647.jpg

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2024 01:29 AM

Hi @Alex_Rus ,

what if you run from cmd:

dir C:\ExchData\MessageTracking\*

?

Are you sure that there isn't another Splunk input that reads these logs?

Ciao.

Giuseppe 

0 Karma
Reply

Alex_Rus
Loves-to-Learn Lots
‎10-15-2024 01:34 AM

Yes, I'm sure. I checked on Deployment-server there are no such folders for monitoring

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-15-2024 04:11 AM

Wait a second. You're mixing several things. One is the forwarder which is supposed to read the data. Another is a Deployment Server. You show a inputs.conf stanza pointing to a local directory but your screenshot shows listing of a network share.

We need much more words from you - what are you trying to ingest, how, where and so on.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2024 01:39 AM

Hi @Alex_Rus ,

and what if yourun the cmd command?

Ciao.

Giuseppe

0 Karma
Reply

Alex_Rus
Loves-to-Learn Lots
‎10-15-2024 02:05 AM

as in the photo, files in which events are stored

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2024 03:08 AM

Hi @Alex_Rus ,

so, if you run the above command from a cmd window, you have the list of the files in that folder, is it true?

If yes, the inputs.conf is correct, otherwise there's an error i the input path.

In addition, from the photo I cannot read the label in the first row, the one before the files, is it another folder or what else?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...