Getting Data In

How to collect data from directories on remote machine into splunk indexer

sushma7
Path Finder

Hi,

I have directories residing on D drive on my remote machine.

I have a splunk machine using which I need to collect the data from the directory on D drive on remote machine.

I had installed universal forwarder on the remote machine, but it does not help me to fetch out the information from D drive. I can fetch the data only from the eventlogs of remote machine.

Kindly help!

Thanks & Regards,
Sushma.

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi sushma7,

best is to start reading the docs about Monitor files and directories and on edit inputs.conf. Remember this must all be done on your universal forwarder where your D drive exists.

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi sushma7,

best is to start reading the docs about Monitor files and directories and on edit inputs.conf. Remember this must all be done on your universal forwarder where your D drive exists.

hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

You're welcome. Now you can show your support and accept the answer and/or upvote it 😉 thx 🙂

0 Karma

sushma7
Path Finder

Thanks for your support! It worked out....hurray!!!!!

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes if you monitor a directory Splunk will read everything in there if you did not set any black/whitelists which you did not 😉

0 Karma

sushma7
Path Finder

Yep I would, one more query, the directory that i mentioned in the inputs.conf is not a static one, the files in it gets updated for every 4 hours, so it would get updated in splunk as well right?

0 Karma

MuS
SplunkTrust
SplunkTrust

check 'index=_internal' for any message related to your universal forwarder

0 Karma

sushma7
Path Finder

I had restarted the forwarder service from services.msc
Then i logged into the main splunk instance and under the search and reporting app I ran the query sourcetpe = access_combined,because this is what I mentioned in the inputs.conf, but I could not view the data that I intended to monitor.

0 Karma

MuS
SplunkTrust
SplunkTrust

Did you restart the universal forwarder after the file change? Can the user running splunk access this directory? What is your issues?

0 Karma

sushma7
Path Finder

As you have said, I had changed the inputs.conf file on the remote universal forwarder and here is what I did.
1)I want to monitor D:\Test\Testscripts (folder) on remote machine.
2) So i added the following lines on the E:\SplunkUniversalForwarder\etc\system\local\inputs.conf file. The lines are as follows:

[monitor://D:\Test\Testscripts]
disabled = false
sourcetype = access_combined

3) Then I logged into the main splunk instance, now I should be able to view the directory right? I am still facing issues. Still should I make anymore changes?

Can you correct me if i was wrong somewhere.

0 Karma

MuS
SplunkTrust
SplunkTrust

yes, in the UI of the indexer you will only see the local directories and files. You must manually edit the inputs.conf on the remote universal forwarder, this tells the forwarder to monitor the data and forward it to the indexer. Nevertheless, you will still not see this D drive in your indexer UI 😉

0 Karma

sushma7
Path Finder

Thanks for your information!

If i edit the inputs.conf file on the universal forwarder machine. Will I be able to view the D drive of remote machine from the main splunk machine i.e under Files and Directories- Add New option? Generally it shows the drives of the local machine right?

Regards,
Sushma.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...