All Apps and Add-ons

How do I get the File/Directory Information Input app to work with UNC paths?

LukeMurphey
Champion

The File/Directory Information Input app currently does not work with UNC paths. It returns no data.

How can I get this to work?

0 Karma
1 Solution

LukeMurphey
Champion

The app should work provided that the account that Splunk is running under has access to the path and the app is running on Windows. By default, Splunk installs as a local service account which likely doesn't have access. You can change the account that the service runs under by changing the account using services.msc. Note that the account will need to have access to Splunk's install directory too. If it doesn't, you will see an error in file_meta_data_modular_input.log that looks like this:

IOError: [Errno 13] Permission denied: u'C:\\Program Files\\Splunk\\var\\lib\\splunk\\modinputs\\file_meta_data\\6ca8dc8f8956b39f61fb8c69837222ffaa0dae4b5a918cbf130d2284.json'

View solution in original post

0 Karma

LukeMurphey
Champion

The app should work provided that the account that Splunk is running under has access to the path and the app is running on Windows. By default, Splunk installs as a local service account which likely doesn't have access. You can change the account that the service runs under by changing the account using services.msc. Note that the account will need to have access to Splunk's install directory too. If it doesn't, you will see an error in file_meta_data_modular_input.log that looks like this:

IOError: [Errno 13] Permission denied: u'C:\\Program Files\\Splunk\\var\\lib\\splunk\\modinputs\\file_meta_data\\6ca8dc8f8956b39f61fb8c69837222ffaa0dae4b5a918cbf130d2284.json'
0 Karma

JoelCBennett
Engager

Hey Luke. Thanks again for your continued follow-up.

In my case, the account under which the splunk service is running on the indexer is a domain admin. So no permissions issues. Verified that as that account I could access the file.

The Splunk forum is removing your backslashes, so a little hard to see your example. I reverted back to my original pathing, which is a typical UNC path (two leading backslashes, a single backslash between directories).

The file_meta_data_modular_input.log has the following errors:

2015-11-17 13:51:13,760 ERROR Execution failed
Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1320, in execute
    self.do_run(in_stream, log_exception_and_continue=True)
  File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1220, in do_run
    input_config)
  File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_meta_data.py", line 350, in run
    results, new_latest_time = [self.get_file_data(file_path, logger=self.logger, latest_time=latest_time, must_be_later_than=must_be_later_than, file_hash_limit=file_hash_limit)]
ValueError: need more than 1 value to unpack
0 Karma

LukeMurphey
Champion

Can you try version 1.0.1? That version includes more information when it is unable to access a file (and it won't include that exception). The logs should be more explicit on that version and should help figure out why it thinks it cannot access the files.

0 Karma

JoelCBennett
Engager

Upgraded to 1.0.1. Here is the new error with sensitive data XXXed out. Looks like the error you referenced above, but again I am using a domain admin acct to run the splunk service. Looks almost like it is inserting additional backslashes in the path. Is that supposed to look like that? The path I input in settings does not duplicate backslashes at this point.

2015-11-17 14:51:15,190 INFO Time is later than filter, st_mtime=1447374849.7156944, must_be_later_than=None, path=u'\\SERVERNAME\d$\DIRECTORY\test_jcb.txt'
2015-11-17 14:51:15,191 INFO Completed retrieval of file data, count=1, path=\SERVERNAME\d$\DIRECTORY\test_jcb.txt
2015-11-17 14:51:15,193 ERROR Failed to save checkpoint directory
Traceback (most recent call last):
File "D:\Program Files\Splunk\etc\apps\file_meta_data\bin\file_info_app\modular_input.py", line 1174, in save_checkpoint_data
fp = open( self.get_file_path(checkpoint_dir, stanza), 'w' )
IOError: [Errno 13] Permission denied: u'D:\Program Files\Splunk\var\lib\splunk\modinputs\file_meta_data\8851a2e98451016f56fa021e35925b5ee25391303ac5ae3297409334.json'

0 Karma

LukeMurphey
Champion

Yes, the path should look like it has extra back-slashes; this is just how Python prints strings.

The permission denied error indicates that the account doesn't have sufficient access to the Splunk install directory in order to write out the checkpoint file. It might work if you add permission to whatever account you are running Splunk under such that it can read and write to the path:

D:\Program Files\Splunk\var\lib\splunk\modinputs\file_meta_data

There may be other directories it needs access to as well (likely needs the ability to write to other files within Splunk).

JoelCBennett
Engager

Even though the splunk service account is already a local admin, I had to add permissions for the file_meta_data directory. For whatever reason the app install process does not grant it rights. Works now. Thanks for the guidance, Luke!

0 Karma

LukeMurphey
Champion

I found that you do not need to escape the path for the input to work (should use "\SERVERNAME\D$\FOLDERNAME\TEXTFILE.txt" not " \\SERVERNAME\D$\FOLDERNAME\TEXTFILE.txt").

In my case, the input ran as the local system account and thus didn't have access to the share. I had to change the account for the Splunkd service to run under a local user's context (this host isn't on a domain) . This worked for me.

0 Karma

LukeMurphey
Champion

@JoelCBennett: here is a new question where I'm going to investigate making the app with UNC paths.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...