Getting Data In

How can I arrange an input from file share?

dban2005
New Member

How can I arrange an input from file share? File share is like \xyzglobal.local\Apps\Agent\Dev\logs\Dev. I have Splunk deploy/receiver server in a Linux box and all other inputs are coming from Windows and Linux boxes. Please suggest.

0 Karma
1 Solution

nabeel652
Builder

you can monitor shared folders/Directories same as local ones. The stanza in inputs.conf will be like this:

[monitor://\xyzglobal.local\Apps\Agent\Dev\logs\Dev\*]
disabled = false
recursive = (true|false)
sourcetype = s_type
index = someindex

make sure you have the read access to the file share.

View solution in original post

dban2005
New Member

It has finally worked; however I used four back slash instead of two.

0 Karma

nabeel652
Builder

you can monitor shared folders/Directories same as local ones. The stanza in inputs.conf will be like this:

[monitor://\xyzglobal.local\Apps\Agent\Dev\logs\Dev\*]
disabled = false
recursive = (true|false)
sourcetype = s_type
index = someindex

make sure you have the read access to the file share.

dban2005
New Member

Thank you very much for your suggestion and information. I will give a try as soon as I can arrange an windows server to install the UF and share the result.

0 Karma

dban2005
New Member

Yes, my installation is running on a local account. So, as you mentioned I need to install the universal forwarder in another machine in the domain and collect the logs from the file share. I have checked in the istallation of universal forwarder and the use of domain account is available as an option. However, I did not get how and where to mention the file share link/path in the universal forwarder while installing it. Should I mention it in the input.config file as you mentioned in your first response? Please suggest. Thank you once again.

0 Karma

nabeel652
Builder

Yes, install it as any normal Universal Forwarder installation except the account name should be the domain account (svc_splunk). It is preferable to install the Universal Forwarder on a Windows machine if your shared directory to monitor is on a Windows Server.

Once the Forwarder is successfully installed open the System\Local folder and edit inputs.conf and paste the following stanza. Replace the parameter values with your desired ones. Restart Splunk and it should start indexing the data in the files.

[monitor://\\xyzglobal.local\Apps\Agent\Dev\logs\Dev\*]
disabled = false
recursive = true
sourcetype = s_type
index = someindex
0 Karma

dban2005
New Member

Thank you very much for the respond and the solution. I would like have one more clarification on this. With which account I should have read access to file share from the receiver server? I know I will be only permitted to access file share with a domain service account (for example xyzglobal\svc-splunkab). If so, where should I mention that account details at receiver server?

0 Karma

nabeel652
Builder

Well, it is the account your Splunk instance is running as. While installing Splunk forwarder/instance it asks whether you want to install it as a domain account or local account. Here you should give the xyzglobal\svc-splunkab account. Unfortunately, it will not work with this method if you have installed Splunk with local system account.
However, you can install a universal forwarder on any domain joined machine with this service account and start monitoring this directory.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...