You can do some snooping around in the `_internal` index to see if you can figure out where the data is coming from.
I'm not sure what sourcetype UberAgent uses, but if we assume it's `uberagent`, you can run the following search to get some more info about the origin of the data (just replace `uberagent` with the correct sourcetype):
```
index=_internal sourcetype=splunkd component=Metrics group=per_sourcetype_thruput series="uberagent"
```
In the results that return, you should be able to see all of the hosts that have processed data for this sourcetype. Depending on your environment, you may see multiple hosts in the `host` field, but you should be able to determine which hosts are intermediate steps (like a Heavy Forwarder or Indexer) and which hosts are the original source.
From there, you can investigate the hosts `inputs.conf` to see if there are any hints as to where the data is coming from. Sometimes, the `source` field of the data might also indicate where the data is coming from. For example, if the `source` is a file path, it's almost certainly coming from a file monitor input. But it looks like you may have already checked this.
There is also a chance that it was data indexed in the past with future timestamps. But since you mentioned that you deleted the index, this is unlikely the case. New data needs to be indexed for it to start appearing in the `main` index now.
If none of that helps, let me know and we can try some other things. Good luck!
