Splunk Search

FilesystemChangeWatcher : The device is not ready

troywollenslege
Path Finder

We are trying to monitor a lot of systems that have various configurations of drives, (C:disk 😧 cdrom, c:disk d: disk e: disk f: cdrom, etc). The issue we are seeing is that with the below inputs.conf we are getting millions of "device not ready" messages in _internal index when splunk tries to look at the CDrom drive. Is there any way to force splunk not to check the CD drive If we don't know what drive the CD is? (I can't change the drive letter of the CDrom, and I can't change what drive the data is on).. so somtiems d: is a hard drive, sometimes 😧 is a CDrom (and we get the errors). This is a problem with both monitor & batch.

Thoughts?

error:

12-21-2012 18:06:25.979 +0100 WARN FilesystemChangeWatcher - error getting attributes of path "d:\splunk_logs\application": The device is not ready.

inputs.conf:

[batch://d:\splunk_logs\applicaton\*.txt|*.csv]
move_policy = sinkhole
disabled = false
[batch://e:\splunk_logs\application\*.txt|*.csv]
move_policy = sinkhole
disabled = false
Tags (1)

aferone
Builder

I am now running into this as well. Any better solution than turning off Warning messages or NullQueuing these logs?

This needlessly increases the amount of apps needed on a Deployment Server since different servers here have the same files on different drive letters.

0 Karma

aferone
Builder

Just checking if anyone has more info about this again? We are running into it again. I am opening a case.

0 Karma

jacobpevans
Motivator

Did you ever hear anything back? I've revisited this numerous times, and we're about to go with @jkat54 's solution (custom one-time PowerShell input to update inputs.conf)

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

jkat54
SplunkTrust
SplunkTrust

Do it!!!!

0 Karma

jkat54
SplunkTrust
SplunkTrust

I'd write a powershell script to determine what drive letter is a cdrom and change the inputs.conf accordingly.

http://techibee.com/powershell/find-drive-letter-of-cd-drive-using-powershell/1977 <- find the drive leter

http://stackoverflow.com/questions/17144355/string-replace-file-content-with-powershell <- string replace items in config file.

You can even run it as a scripted input, and add it to an application you deploy to all forwarders. So that it deploys with place holders in the config file, and then your powershell script executes to 1. change the inputs.config file to appropriately monitor only non-CDROM drives. 2. change the scripted input schedule to disable the powershell after it's first successful run.

yannK
Splunk Employee
Splunk Employee

are the errors happening when the CDROM is in the drive when splunk starts ?

when you start splunk it will scan all locations you asked him to monitor.
So if you CDROM drive 😧 does not exist at the time you can expect warning messages.
also using move_policy = sinkhole for a READ-only device is probably not necessary.

0 Karma

brent_weaver
Builder

Hey did anyone ever figure this out? I have the same problem and just posted.

I thought I could add a props and transforms to splunkd sourcetype for just that one host. But that did not work.

jkat54
SplunkTrust
SplunkTrust

For what it's worth, I would never purposely downvote an answer like this. Apparently I downvoted in the past and I can't change my vote after a day... but the vote was by mistake if at all.

0 Karma

JoeSco27
Communicator

Is there any update on this Question?

0 Karma

kapanig
Explorer

I need an answer to the same question. I need to monitor a CD drive and it successfully logs file changes in the local splunkd.log, but fails at sending them to the indexer because of a "Error getting attributes of path D:\somefolder\somefilename.ext". Can I prevent the change checker from trying to access the "attributes" of the drive? I don't need those; just file names.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...