Hi. In my heavy forwarder I am trying to understand how logs are appearing on a particular source type.
I go to Settings < source type< and search for it. I find it. I edit it. But it's not telling me any detail on how those .csv files from the various host are getting the file to the heavy forwarder.
The universal forwarder inputs.conf file on the host does not reference the .csv files.
Anything else I can do on the heavy forwarder to find out how the host are sending to it? It's not syslog.
Are you indexing the events on HF or forwarding it to indexer?
While searching for the events , doesn't the "source" field has information about source of the data and "host" field about the machine from where the events are pushed?
Do you have web enabled on the HF and is there a possibility of manual upload ?
The HF is forwarding to splunk cloud for indexing. No Indexing done on the HF
While searching the event the source is:
C:\monitor\splunk.csv
The CSV does exist on the host. My question is, how is the host sending this csv file to the HF? I don't see anything in the input.conf file referencing this csv.
Do you have only one UF and one HF and all the events are going through HF before hitting index?
Is the web enabled for HF and is there a possibility of direct upload using web ?
Also search in your _internal logs and check if you are able to find any activity regarding the file upload
I have lots of UFs (individual servers) and one HF. Yes all events from UFs are hitting the HF before getting indexed at the cloud.
Would you elaborate on what you mean by is the web enabled for HF and direct uploading?
On the HF I searched index=_internal and no data
Within the HF < Settings < Data Inputs < Forwarded Inputs < Files and Directories <
I see the source path c:\splunk\computers.csv there and it is ENABLED
Still doesn't answer my question about how this CSV is getting sent to the HF
"On the HF I searched index=_internal and no data" => if you are not indexing in HF, you should search (index=_internal) in search head which is connected to indexers
"Would you elaborate on what you mean by is the web enabled for HF and direct uploading?" => If you have splunk web enabled on HF, users can login to the splunk web and upload data.
It could be on any of the forwarders or HFs and the inputs.conf can be present in multiple places. Try splunk btool to list out the inputs conf stanzas on the machine from where the file is uploaded
great suggestion on the btool. i found references of the .csv file in an inputs file under
C:\Program Files\SplunkUniversalForwarder\etc\apps\ForwardedMonitor\local
I'm assuming if the stanza beings with MONITOR and then has path to the .csv and also a sourcetype specified, that would instruct the universal forwarder to send this file to the Heavy forwarder?
Yes, that should be it. If there is no configuration for index or other parameters, it will be picked up from the default