I am able to index my local C:/ drive local files in Splunk , but unable to index X:/ drive (Sharepoint path) folder data through inputs.conf.
Note:
X:/ drive contains the mounted path of Sharepoint location
Any help would be appreciated!
Thanks,
Praveena
What happens when you try to index the X: drive? What error(s) do you get?
Is Splunk running as a user with access to that drive? See https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/ConsiderationsfordecidinghowtomonitorWindows...
What happens when you try to index the X: drive? What error(s) do you get?
Is Splunk running as a user with access to that drive? See https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/ConsiderationsfordecidinghowtomonitorWindows...
@richgalloway , Thanks for the support!!
I found the issue for not reading the file from the sharepoint,
It is due to the access error (as you mentioned) in reading the file in sharepoint from Splunk.
I tried enabling the debug logs and found it.
Splunk has Domain Account.
Note:
My X: drive data are not reflecting in splunk web. (No Errors)
It's surprising that Splunk would not index any data and not report anything about it. Did you check splunkd.log? What is the inputs.conf stanza for the X drive?
Monitoring Stanza:
[monitor://X:\ASERENS\ENX\ENX1\200_Licensing\100_SparxSystems-EA\OrderingLicsMaint\2021\*.txt]
Yeah, I checked the log as well, but couldn't find any errors.
Where is the rest of the stanza? I expected to see more than the heading.
What query are you using to find the events from the X: drive?