How to find the path for an unknown data source th...

darknetone · ‎02-23-2016

How can I tell where data is coming from? I have inherited an old Splunk 5.0.1 Enterprise Infrastructure. I can see data on the Splunk head for a specific (IP) server, however, this data is coming into _main. I got on the Windows box where this data is coming from and I could not see a universal forwarder or syslog implementation despite much searching. I do not know how the data is coming into Splunk, which is a problem since I need the data to go into a different index. This leaves me asking, how is the data coming in? Is there a way to trace events all the way back to the origination point AND know what the path that the data took? I there a way to know what process originated the data on the machine?

martin_mueller · ‎02-23-2016

I'd check a few things:

timestamps on the events - maybe they're old and you're chasing ghosts?
host and source of the events
receiving enabled on the indexer
search index=_internal source=*metrics.log* group=tcpin_connections for info around incoming forwarder connections
inputs enabled on the indexer
if source and inputs don't line up, check for props.conf/transforms.conf rewrites (TRANSFORMS-foo in props.conf)
search index=_internal source=*metrics.log* thruput for clues where the indexer thinks it has throughput

How to find the path for an unknown data source that is sending data to Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation