Hi,
I have installed UF in one of the drive ( E drive) on a windows server. I want to fetch logs from another drive (Netwrok drive) .This drive is present on the same server itself and the server has access to this drive.
I have placed montirong stanza in splunk_home/etc/system/local in E drive mentioning the path of the logs present in Network drive. But i am not seeing any logs in Splunk getting indexed.
So can you suggest how can i fetch logs from another drive when Splunk UF is installed in E drive.
P.s i cannot change Splunk UF location from E drive because of compliance.
Thanks
If you search this you should definitely see some related logs that could point you to the problem:
index=_internal sourcetype=splunkd "gtyojn201gp.kttc.aoi.com*"
@glc_slash_it Zero result. Logs are not read from that path.
Can we index logs from network drive when Splunk UF is installed in E drive on windows machine
I never tried to install UF on another drive other then C, but splunk service should be like any other windows service. Can you see and start splunkforwarder service in the services console?
1- Do you see any logs at all from that UF host on _internal? (if not, there is a problem with installation or running splunkforwarder service)
2- Can you successfully monitor any file in drive E?
3- Does the user you use to run splunkforwarder service, has access to the network drive you're trying to monitor?
------------
If this was helpful, some karma would be appreciated.
1- Do you see any logs at all from that UF host on _internal? (if not, there is a problem with installation or running splunkforwarder service) - Yes i can see internal logs
2- Can you successfully monitor any file in drive E? - Yes i am monitoring server logs from Drive E
3- Does the user you use to run splunkforwarder service, has access to the network drive you're trying to monitor? - Yes user has full access
Great, that means the UF is working fine, communicating with Splunk and sending logs.
In index=_internal, do you see any reference to the input stanza? try searching for a portion of the path, if you can't find logs with the full path
(//gtyojn201gp.kttc.aoi.com\Share\Integrations\MyLogins\out\REM*)
That should point you to the problem.
Hey!
Can you post your input configuration?
Maybe is config or user permissions problem.
Try to search for debug logs on index=_internal in Splunk to see if there are any errors.
Also take a look at this thread:
https://community.splunk.com/t5/Getting-Data-In/splunk-index-logs-from-network-drive/m-p/25001
------------
If this was helpful, some karma would be appreciated.
@glc_slash_it I do not see any errors.
[monitor://gtyojn201gp.kttc.aoi.com\Share\Integrations\MyLogins\out\REM*]
index = Batchtest
sourcetype = Batchtest_st
disabled=false