Hi

As @venkatasri said, it's probably access right issues. 

• Which platform those UF's are?
• Are you using DS for deploy those configs (probably not as you try to put those under system/local)
  • My guidelines is that never ever put anything under system/local if it works somewhere else
• Have you restart UF after adding those configurations or have you added those with CLI commands?
• Which user is running splunk
• Have you check UF's splunkd.log to see if there are any errors related to this
• Are UF's internal log seen on splunk SH?

r. Ismo

Hi @isoutamo 

• Which platform those UF's are? -- Windows platform
• Are you using DS for deploy those configs (probably not as you try to put those under system/local) -- No DS
  • My guidelines is that never ever put anything under system/local if it works somewhere else -- This is just for testing purpose, but reverted the change from etc/system/local to etc/apps/TA/local
• Have you restart UF after adding those configurations or have you added those with CLI commands? ----Since it is Windows, have placed the TA manually by copy paste. Restarted Splunk services from Services
• Which user is running splunk -- We have a user called splunk 
• Have you check UF's splunkd.log to see if there are any errors related to this -- Till now no such errors, but can see INFO  ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd.
• Are UF's internal log seen on splunk SH? -- Yes I can see the splunk internal logs on SH but not the logs on the specified index

Hi

as it's windows platform you must use windows notation for those paths not unix version.

e.g. C:\temp\foo.bar

If you want collect data from network shares you must have user which have access to those shares, usually it means domain user.

And check that your splunk user has access to those directories/files which you try to ingest.

As you get those internal logs to splunk then we are knowing that connection is ok and the issue is definitely on UF side.

r. Ismo