Re: Can we fetch the logs from a drive when UF is ...

Ashwini008 · ‎03-24-2023

Hi,

I have installed UF in one of the drive ( E drive) on a windows server. I want to fetch logs from another drive (Netwrok drive) .This drive is present on the same server itself and the server has access to this drive.

I have placed montirong stanza in splunk_home/etc/system/local in E drive mentioning the path of the logs present in Network drive. But i am not seeing any logs in Splunk getting indexed.

So can you suggest how can i fetch logs from another drive when Splunk UF is installed in E drive.

P.s i cannot change Splunk UF location from E drive because of compliance.

Thanks

glc_slash_it · ‎03-24-2023

If you search this you should definitely see some related logs that could point you to the problem:

index=_internal sourcetype=splunkd "gtyojn201gp.kttc.aoi.com*"

Ashwini008 · ‎03-24-2023

@glc_slash_it Zero result. Logs are not read from that path.

Can we index logs from network drive when Splunk UF is installed in E drive on windows machine

glc_slash_it · ‎03-25-2023

I never tried to install UF on another drive other then C, but splunk service should be like any other windows service. Can you see and start splunkforwarder service in the services console?

1- Do you see any logs at all from that UF host on _internal? (if not, there is a problem with installation or running splunkforwarder service)

2- Can you successfully monitor any file in drive E?

3- Does the user you use to run splunkforwarder service, has access to the network drive you're trying to monitor?

------------
If this was helpful, some karma would be appreciated.

Ashwini008 · ‎03-26-2023

@glc_slash_it

1- Do you see any logs at all from that UF host on _internal? (if not, there is a problem with installation or running splunkforwarder service) - Yes i can see internal logs

2- Can you successfully monitor any file in drive E? - Yes i am monitoring server logs from Drive E

3- Does the user you use to run splunkforwarder service, has access to the network drive you're trying to monitor? - Yes user has full access

glc_slash_it · ‎04-03-2023

Great, that means the UF is working fine, communicating with Splunk and sending logs.

In index=_internal, do you see any reference to the input stanza? try searching for a portion of the path, if you can't find logs with the full path

(//gtyojn201gp.kttc.aoi.com\Share\Integrations\MyLogins\out\REM*)

That should point you to the problem.

glc_slash_it · ‎03-24-2023

Hey!

Can you post your input configuration?

Maybe is config or user permissions problem.

Try to search for debug logs on index=_internal in Splunk to see if there are any errors.

Also take a look at this thread:
https://community.splunk.com/t5/Getting-Data-In/splunk-index-logs-from-network-drive/m-p/25001

------------
If this was helpful, some karma would be appreciated.

Ashwini008 · ‎03-24-2023

@glc_slash_it I do not see any errors.

[monitor://gtyojn201gp.kttc.aoi.com\Share\Integrations\MyLogins\out\REM*]
index = Batchtest
sourcetype = Batchtest_st
disabled=false

Can we fetch the logs from a drive when UF is not installed?

administration

Analytics Workspace

configuration

using Splunk Enterprise

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk