Getting Data In

Why are logs going into an unknown folder?

cedmunds
New Member

I have logs going from the Universal Forwarder but are going to the Unknown Folder instead of uploading to the Cloud.

What could be causing this issue?

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

When you first get started with configuring data architecture for logging to the cloud, it can be confusing as to which is pointing to what. So first I'll suggest that you scan through this doc to be sure that you have everything aligned the way we expect it to be. Just on the off chance you've got something pointing in the wrong direction. (I don't think so from your description... but what your saying isn't making a whole lot of contextual sense, so let's just say - you will want to go over the configuration carefully) ClickHere To Read About Sending Data To Splunk Cloud From A Forwarder The link starts with the instructions for Windows. ("unknown folder" suggests to me you're on windows but all the instructions for windows, linux and macOS are there one after the other)

The Data you are Asking the UF to read will be read and forwarded to the indexer in Splunk Cloud. However, if it is NOT making it to SplunkCloud for some reason... it isn't going to be physically dropped on the floor. i.e. nothing is going to make a folder without a name. Meaning... the UF won't just spit it back out. So something you are doing is making that folder...

Now if that context and the doc doesn't help you. What we need to give you a hand is for you to show us the inputs instructions you've added and the outputs this will be found in the configuration files inputs.conf and outputs.conf which may have been deliberately created by you or created by using commands at the commandline (which will make directing you to them a bit more complex) If you need help finding them... you will need to provide a bit more context to how you are doing things and i'm sure we'll be able to get to the bottom of this for you.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

woodcock
Esteemed Legend

Splunk has not feature to move files to folders. You need to explain waaaaaaaaaaaaaay more about what you have engineered.

0 Karma

sandyIscream
Communicator

Could you please elaborate issue ? For example what property you have used in your inputs.conf stanza and outputs.conf.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...