Getting Data In

Simple example of inputs.conf to monitor a logfile on a remote share

skaboy71
Explorer

I'v been looking for this but not finding it.

I have this:

[monitor://\\CAD1100092\\shared$\testing.log]
disabled = false 
followTail = 0 
host = CAD1100092

I'm running splunk as a user which has access to this UNC path:

\\cad1100092\\shared$\\testing.log

I want splunk to index it, and I want do this through the inputs.conf file.

I'm using the one in $splunkhome\ect\system\local .

Is this the correct way? Is my syntax correct?

Thanks
Aaron

Tags (2)

meenuvn
Explorer

This discussion greatly helped me with forwarding remote logs. Thanks guys.

gkanapathy
Splunk Employee
Splunk Employee

I edited your orignal question to fix it.

0 Karma

mikelanghorst
Motivator

What user is the Splunkd process running as? If it's running as Local System, it won't have access to the remote share.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Ah, I suspect it might be a problem with the $ in the path. If you can get it working in the GUI, take a look at the generated inputs.conf file (should be in $SPLUNK_HOME/etc/apps/search/local, or a correspondin place depending on the app you were in when you created it). Another way to debug will be to look at http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ and query the file monitor to see what it thinks it's doing.

0 Karma

skaboy71
Explorer

I understand that issue. I'm running splunk as a domain user that has access to this location. I already have remote file monitors working which I configured via the gui. I am attempting to learn how to use the inputs.conf instead.

0 Karma

kdenton
Path Finder

It seems like in your examples of your inputs.conf file you only have one '\' and you are trying to index a remote log file via UNC. You need two '\'

[monitor://****CAD1100092\shared$\testing.log] <---- add a second '\' as its a UNC
disabled = false
host = CAD1100092
Its still not indexing

0 Karma

skaboy71
Explorer

sorry ... I have 2 ... the forum software removed one of them ... I'll adjust,

0 Karma

skaboy71
Explorer

OK changed it to

[monitor://\\CAD1100092\shared$\testing.log]

disabled = false

host = CAD1100092

Its still not indexing

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...