When you first get started with configuring data architecture for logging to the cloud, it can be confusing as to which is pointing to what. So first I'll suggest that you scan through this doc to be sure that you have everything aligned the way we expect it to be. Just on the off chance you've got something pointing in the wrong direction. (I don't think so from your description... but what your saying isn't making a whole lot of contextual sense, so let's just say - you will want to go over the configuration carefully) ClickHere To Read About Sending Data To Splunk Cloud From A Forwarder The link starts with the instructions for Windows. ("unknown folder" suggests to me you're on windows but all the instructions for windows, linux and macOS are there one after the other)
The Data you are Asking the UF to read will be read and forwarded to the indexer in Splunk Cloud. However, if it is NOT making it to SplunkCloud for some reason... it isn't going to be physically dropped on the floor. i.e. nothing is going to make a folder without a name. Meaning... the UF won't just spit it back out. So something you are doing is making that folder...
Now if that context and the doc doesn't help you. What we need to give you a hand is for you to show us the
inputs instructions you've added and the
outputs this will be found in the configuration files
outputs.conf which may have been deliberately created by you or created by using commands at the commandline (which will make directing you to them a bit more complex) If you need help finding them... you will need to provide a bit more context to how you are doing things and i'm sure we'll be able to get to the bottom of this for you.