Solved: How do I Monitor a UNC path?

seanlon11 · ‎07-13-2010

From server1, I have access to the desired UNC path, and this same user is running splunk, so I know access is not an issue.

\etc\apps\search\local\inputs.conf

[monitor://\\SANCIFS_TDC_NETAPP01A.SAN.MyCompany.Com\CIFS_COGNOS$\Test\Logs]
disabled = false
host = sancifs_test
index = default
sourcetype = motio_test

I have tried many different permutations of the forward and back slash for my monitor stanza, but nothing has worked so far.

What am I doing wrong?

Thanks, Sean

seanlon11 · ‎07-13-2010

dang, that is going to make me mad. I set the Service to run as a different user, and it now works. (figuring out the syntax of how to get Windows to recognize the user was quite a chore)

View solution in original post

seanlon11 · ‎07-13-2010

dang, that is going to make me mad. I set the Service to run as a different user, and it now works. (figuring out the syntax of how to get Windows to recognize the user was quite a chore)

Paolo_Prigione · ‎07-13-2010

Is the indexer (or forwarder) a linux or window box?
If windows, might it be that the "local system account" under which splunk runs by default has no access to that folder?
Uhm, is that a dollar sign after COGNOS? Is it supported in paths?

seanlon11 · ‎07-13-2010

1) Yes, I have restarted Splunk after updating the inputs.conf

2) Splunk 4.1.1 (build 78281)

3) 14 files

Genti · ‎07-13-2010

few standard questions: 1- Have you restarted splunk after changing the config file? 2 - what version of splunk are you using? how many files are in the Logs directory?

How do I Monitor a UNC path?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases