Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

UNC Path to Network Print Server

ramuzzini
Path Finder
‎10-04-2024 02:10 PM

Trying to monitor a separate print server folder outside where Splunk is hosted with print logs that has a UNC path.  Folder only has .log files in it.  I have the following index created:

index = printlogs

When I try to add the folder path in Splunk through the add data feature: "add data" - "Monitor" -"Files & Directories" I get to submit and then get an error:

"Parameter name:  Path must be absolute".

So I added the following stanza to my inputs.conf file in the systems/local/folder:

[monitor://\\cpn-prt01\c$\Program Files\Printer\server\logs\print-logs\*.log]
index = printlogs
host = cpn-prt01
disabled = 0
renderXml = 1

I created a second stanza with a index = printlogs2 with respective index to monitor the following path to see if I can pull straight from the path and ignore the file type inside.

[monitor://\\cpn-prt01\c$\Program Files\Printer\server\logs\print-logs\]

I do see the full path to both in the "Files & Director" list under the Data Inputs.  However, I am not getting any event counts when I look at the respective indexes seen in the Splunk Indexes page.   I did a Splunk refresh and even restarted the Splunk server with now luck.   Thought maybe someone has run into similar issue or has a possible solution.  

Thanks in advance.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-04-2024 02:34 PM

While ingesting files from network shares is possible (but has performance drawbacks especially in high-volume scenarios) it requires the ingesting component (either a HF or UF) to run with a domain user which has access to the source share. Maybe, just maybe it could work with a completely public share (haven't tested it myself) but it's not a very good idea in a first place.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...