You can have Splunk reference a UNC path with the following configuration:
\etc\apps\search\local\inputs.conf
[monitor:\\\\SANCIFS_TDC_NETAPP01A.SAN.MyCompany.Com\CIFS_COGNOS$\Test\Logs]
disabled = false
host = sancifs_test
index = default
sourcetype = motio_test
The main thing to be cognizant of is who is running Splunkd; especially on Windows. On this particular windows machine, I had it setup to run as "Local System Account",
and that is probably not what you want.
I had to reconfigure the Windows Service to be run as: COMPANY_DOMAIN\admin_user
Advertisement
