topic Re: How are logs appearing on a particular source type in heavy forwarder? in Splunk Enterprise

How are logs appearing on a particular source type in heavy forwarder?

verifi81 — Thu, 23 Jul 2020 03:57:01 GMT

Hi. In my heavy forwarder I am trying to understand how logs are appearing on a particular source type.

I go to Settings < source type< and search for it. I find it. I edit it. But it's not telling me any detail on how those .csv files from the various host are getting the file to the heavy forwarder.

The universal forwarder inputs.conf file on the host does not reference the .csv files.

Anything else I can do on the heavy forwarder to find out how the host are sending to it? It's not syslog.

Re: How are logs appearing on a particular source type in heavy forwarder?

renjith_nair — Thu, 23 Jul 2020 04:45:09 GMT

Are you indexing the events on HF or forwarding it to indexer?

While searching for the events , doesn't the "source" field has information about source of the data and "host" field about the machine from where the events are pushed?

Do you have web enabled on the HF and is there a possibility of manual upload ?

Re: How are logs appearing on a particular source type in heavy forwarder?

verifi81 — Thu, 23 Jul 2020 05:17:02 GMT

The HF is forwarding to splunk cloud for indexing. No Indexing done on the HF

While searching the event the source is:

C:\monitor\splunk.csv

The CSV does exist on the host. My question is, how is the host sending this csv file to the HF? I don't see anything in the input.conf file referencing this csv.

Re: How are logs appearing on a particular source type in heavy forwarder?

renjith_nair — Fri, 24 Jul 2020 03:34:16 GMT

Do you have only one UF and one HF and all the events are going through HF before hitting index?

Is the web enabled for HF and is there a possibility of direct upload using web ?

Also search in your _internal logs and check if you are able to find any activity regarding the file upload

Re: How are logs appearing on a particular source type in heavy forwarder?

verifi81 — Fri, 24 Jul 2020 04:09:10 GMT

I have lots of UFs (individual servers) and one HF. Yes all events from UFs are hitting the HF before getting indexed at the cloud.

Would you elaborate on what you mean by is the web enabled for HF and direct uploading?

On the HF I searched index=_internal and no data

Re: How are logs appearing on a particular source type in heavy forwarder?

verifi81 — Fri, 24 Jul 2020 04:28:35 GMT

Within the HF < Settings < Data Inputs < Forwarded Inputs < Files and Directories <
I see the source path c:\splunk\computers.csv there and it is ENABLED

Still doesn't answer my question about how this CSV is getting sent to the HF

Re: How are logs appearing on a particular source type in heavy forwarder?

renjith_nair — Fri, 24 Jul 2020 10:16:26 GMT

"On the HF I searched index=_internal and no data" => if you are not indexing in HF, you should search (index=_internal) in search head which is connected to indexers

"Would you elaborate on what you mean by is the web enabled for HF and direct uploading?" => If you have splunk web enabled on HF, users can login to the splunk web and upload data.

It could be on any of the forwarders or HFs and the inputs.conf can be present in multiple places. Try splunk btool to list out the inputs conf stanzas on the machine from where the file is uploaded

Re: How are logs appearing on a particular source type in heavy forwarder?

verifi81 — Mon, 27 Jul 2020 22:29:31 GMT

great suggestion on the btool. i found references of the .csv file in an inputs file under

C:\Program Files\SplunkUniversalForwarder\etc\apps\ForwardedMonitor\local

I'm assuming if the stanza beings with MONITOR and then has path to the .csv and also a sourcetype specified, that would instruct the universal forwarder to send this file to the Heavy forwarder?

Re: How are logs appearing on a particular source type in heavy forwarder?

renjith_nair — Tue, 28 Jul 2020 06:28:45 GMT

Yes, that should be it. If there is no configuration for index or other parameters, it will be picked up from the default