Monitoring Splunk

"unable to open file" on a folder

EmileKroeger
Engager

I just installed Splunk, and am trying to use it to open a folder full of log files, which I put in C:\Data\test\

Then I went in the web interface in "Data inputs » Files & directories » Add new", and as "source" put "C:\Data\test", but I get an error "Encountered the following error while trying to save: In handler 'oneshotinput': unable to open file: path='c:\Data\test' error='Accès refusé.'"

It does however work if instead of a directory I put a specific .log file.

Is what I'm trying to do sensible? (I'm new to Splunk, and am mostly trying to see which info I can get out of my logs).

Some extra information:

  • C: is not a network drive
  • I gave all users read and write access to those files
  • no other program is reading files in that directory
  • I'm using Windows 7 in French

It seems to me I'm trying to do something simple, so I must be doing it wrong. What (if any" is the "standard" way of analyzing a folder full of logs?

(I saw a similar issue here, including quite a few comments complaining, but the proposed solutions don't seem to apply to me.)

0 Karma
1 Solution

grijhwani
Motivator

You can monitor a directory, but I think you can only one-shot a single specific file at a time.

View solution in original post

grijhwani
Motivator

You can monitor a directory, but I think you can only one-shot a single specific file at a time.

EmileKroeger
Engager

OK, that must be it, it works now.

I had previously also tried monitoring instead of one-shotting, but it had failed with the same error message, but that may have been before I gave full rights to that folder (in my mind it made more sense to one-shot because I didn't expect that folder to change...)

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...