Splunk Enterprise

How to set up a data input from my universal forwarder?

WildMufasa
Loves-to-Learn

I'm fairly new to Splunk and I am having some trouble setting up a data input from my universal forwarder. I've currently got it configured to pull windows event files from a specific folder on the machine that are moved to it manually. However it is only pulling seemingly random files, but 99% aren't getting indexed. I've tried specifying the file type to see if that was in issue, with no luck. I've also tried adding crcSalt = <string> to the input.conf file, no luck there either. Trying to see if I'm missing something as I've gone through many other posts for similar issues to no avail. Any ideas are greatly appreciated. 

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
Can you post your inputs.conf?
r. Ismo
0 Karma

WildMufasa1
Loves-to-Learn Lots

Below is my input.conf file, I've hidden the computer name for security. 

 

[monitor://\\COMPUTERNAME\"_ISSO Audits"\DC_Audit_Splunk\"Currently Reviewing"\*.csv]

disabled = false

index = dc_audits

sourcetype = csv

0 Karma

PickleRick
SplunkTrust
SplunkTrust

@isoutamo's questions are valid but let me make some assumptions judging from the fact that you say you have no experience with splunk.

I assume therefore that you installed splunk forwarder with default options which means it's running under Local System user. This user will not have permissions to connect to a remote share. For getting files from remote shares UF should be installed as a domain user (a managed service account) which should be granted access to the shares. Since you can't specify credentials for connecting to the share, it needs domain account. Maybe, just maybe it would work with share open to everyone but that's a very bad idea.

The syntax of the monitor stanza is probably also bad with those quotes.

0 Karma

WildMufasa1
Loves-to-Learn Lots

Ok I think I see my issue, the forwarder was installed with a domain user however they don't have access to the folder where the files are being stored. So I will reinstall the forwarder using an account that has access to the drive and see if that makes a difference. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

How you have installed UF on this machine? Is that host joined to AD domain and which user account is used to run splunk? Have that user access to this network share?

What kind of files those csv files are? All have same format or different? And are those using the same or different names? Have those identical content on beginning of file?

I think that you don't need those " -characters around directory names with spaces?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...