Getting Data In

Monitoring a remote server directory from my workstation

Ant1D
Motivator

Hey,

I am new to Splunk and I have a newbie question 🙂

I have installed Splunk (v.4.1.3) on my workstation choosing the Local System User option. My Splunk instance is able to monitor files stored on my local drives (e.g. C:).

I have read access to log files stored on a remote server but my question is: How can I get my instance of Splunk on my local workstation to monitor the directory on the remote server containing these log files? (My instance of Splunk should be able to index these log files.)

Both the remote server and my workstation have Windows OS. Splunk is not installed on the remote server.

Thanks in advance for your help. Regards, Antoine.

0 Karma
1 Solution

simuvid
Splunk Employee
Splunk Employee

Hi there,

you can specify a shared directory containing the remote logfiles. The Splunk server must be able to read from this directory.

See also the Documentation:

http://www.splunk.com/base/Documentation/4.1.4/admin/MonitorFilesAndDirectories

Hope that helps!

Cheers

View solution in original post

0 Karma

harishnpandey
Explorer

Hi Ant1D

Can you please help me to figure out how can we monitor remote log directroy from my local splunk

For e.g. below directory I have shared to everyone but unable to splunk it using FIles & Directories option

\10.172.139.32\d$\splunk

0 Karma

harishnpandey
Explorer

I am getting below error:

04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///10.172.139.32/d$/splunk.
04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Adding watch on path: \10.172.139.32/d$/splunk.
04-19-2018 16:11:07.889 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'
04-19-2018 16:12:07.713 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'

0 Karma

shankarcv
Explorer

hello daniel . can you please share with me how you managed to get it working? I am also trying to access logs on a remote UNIX server but even if I provide the UNC path Splunk is not retrieving the log files on that server.

0 Karma

tomthi
New Member

When I try to run the Indexer service under a different account, the service crashes. I can only run this service under the Local System account. I've tried this on two different machines with the same results.

0 Karma

simuvid
Splunk Employee
Splunk Employee

Hi there,

you can specify a shared directory containing the remote logfiles. The Splunk server must be able to read from this directory.

See also the Documentation:

http://www.splunk.com/base/Documentation/4.1.4/admin/MonitorFilesAndDirectories

Hope that helps!

Cheers

0 Karma

Ant1D
Motivator

I have managed to get it working now. Thanks for your help

0 Karma

harishnpandey
Explorer

I have configured below parameters to monitor remote path under "c$\Program Files\Splunk\etc\system\default\inputs.conf" as

[monitor:///10.172.139.32/d$/splunk]
index=lm-uscmit-p-finsvcs

[MonitorNoHandle://10.172.139.32/d$/splunk]
index=lm-uscmit-p-finsvcs

However, I am getting below error after restarting Splunk as:

04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor:///10.172.139.32/d$/splunk.
04-19-2018 16:11:05.510 -0400 INFO TailingProcessor - Adding watch on path: \10.172.139.32/d$/splunk.
04-19-2018 16:11:07.889 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'
04-19-2018 16:12:07.713 -0400 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - configure: no drive specifier found: '10.172.139.32/d$/splunk'

0 Karma

harishnpandey
Explorer

Hi

Can you please help me to figure out how can we monitor remote log directroy from my local splunk

For e.g. below directory I have shared to everyone but unable to splunk it using FIles & Directories option

\10.172.139.32\d$\splunk

0 Karma

Ant1D
Motivator

I can access the directory of the server from the workstation that Splunk is installed on. What do you mean exactly when you say "running the Splunk Indexer with a SPECIAL ROLE"?

0 Karma

simuvid
Splunk Employee
Splunk Employee

When you share the directory or mount the drive you have to make sure, that if you are running the Splunk Indexer with a special role, that this role can access the remote drives.
Just login to the system that hosts the Splunk Indexer and try to access the remote drive.
If that works Splunk cann also access the drive.

Cheers,

Christian

0 Karma

Ant1D
Motivator

In the link you gave, it says the following:

  1. Specify the Full path to the file or directory.

To monitor a shared network drive, enter the following: (or \<mypath> on Windows). Make sure Splunk has read access to the mounted drive, as well as to the files you wish to monitor.

How do I ensure that Splunk has read access to this?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...