Hello Splunk Forum TEAM,
I have a question refered to the integration because right now I receive the information whitout problems but when I try to check in in a search I can´t find any log.
Here is where we use the scripts for pull data and delete after 30 days.
-----------------------------------------------------------------------------------------------------------------------------------
-5. In $SPLUNK_HOME/etc/apps/TA-cisco_umbrella/local/inputs.conf create the following stanzas. Make sure you change the path and index in the monitor stanza if necessary!
[script://./bin/pull-umbrella-logs.sh]
disabled = 0
interval = 300
index = _internal
sourcetype = cisco:umbrella:input
start_by_shell = false
[script://./bin/delete-old-umbrella-logs.sh]
disabled = 0
interval = 600
index = _internal
sourcetype = cisco:umbrella:cleanup
start_by_shell = false
[monitor:///opt/splunk/etc/apps/TA-cisco_umbrella/data/dnslogs/*/*.csv.gz]
disabled = 0
index = opendns
sourcetype = opendns:dnslogs
-6. Verify data is coming in and you are seeing the proper field extractions by searching the data.
----Example Search: index=awsindexyouchose sourcetype=opendns:dnslogs
----Note: You can look for script output by searching: index=_internal sourcetype=cisco:umbrella*
---------------------------------------------------------------------------------------------------------------------------------------
But when I try to do the next search: index=_internal sourcetype=cisco:umbrella* I dont retrive data.
Do you have access to the _internal index?
Can you run the scripts manually to verify they work as expected?
Have you checked splunkd.log for errors?