I'm fairly new to Splunk and I am having some trouble setting up a data input from my universal forwarder. I've currently got it configured to pull windows event files from a specific folder on the machine that are moved to it manually. However it is only pulling seemingly random files, but 99% aren't getting indexed. I've tried specifying the file type to see if that was in issue, with no luck. I've also tried adding crcSalt = <string> to the input.conf file, no luck there either. Trying to see if I'm missing something as I've gone through many other posts for similar issues to no avail. Any ideas are greatly appreciated.
Below is my input.conf file, I've hidden the computer name for security.
[monitor://\\COMPUTERNAME\"_ISSO Audits"\DC_Audit_Splunk\"Currently Reviewing"\*.csv]
disabled = false
index = dc_audits
sourcetype = csv
@isoutamo's questions are valid but let me make some assumptions judging from the fact that you say you have no experience with splunk.
I assume therefore that you installed splunk forwarder with default options which means it's running under Local System user. This user will not have permissions to connect to a remote share. For getting files from remote shares UF should be installed as a domain user (a managed service account) which should be granted access to the shares. Since you can't specify credentials for connecting to the share, it needs domain account. Maybe, just maybe it would work with share open to everyone but that's a very bad idea.
The syntax of the monitor stanza is probably also bad with those quotes.
Ok I think I see my issue, the forwarder was installed with a domain user however they don't have access to the folder where the files are being stored. So I will reinstall the forwarder using an account that has access to the drive and see if that makes a difference.
How you have installed UF on this machine? Is that host joined to AD domain and which user account is used to run splunk? Have that user access to this network share?
What kind of files those csv files are? All have same format or different? And are those using the same or different names? Have those identical content on beginning of file?
I think that you don't need those " -characters around directory names with spaces?