Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Debugging universal forwarder sinkhole ingestion

garrettsdet
Engager
‎01-20-2021 11:30 AM

Hi! I have a local setup where I have splunk Enterprise, and a single universal forwarder monitoring an arbitrary Documents folder:

The forwarder is set up to send entire files to splunk with these inputs.conf settings:

[batch://C:\Users\Currentuser\Documents\TestSplunk]
disabled = 0
sourcetype = BugReport
move_policy = sinkhole
index = sandbox

When I place a text file into this TestSplunk directory, it does disappear, showing that the forwarder had picked it up, and disposed of the file as per the move_policy. However, from Splunk enterprise, I can't seem to see evidence of the file being received. In the splunkd.log belonging to the forwarder, I don't see any message with regards to the file that it detected/sent/deleted. How would I be able to see information about this kind of thing?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2021 01:03 PM

Have you tried this search?  If not, what did you try?

index=sandbox sourcetype=BugReport earliest=0 latest=+1y
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2021 01:03 PM

Have you tried this search?  If not, what did you try?

index=sandbox sourcetype=BugReport earliest=0 latest=+1y
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

garrettsdet
Engager
‎01-20-2021 01:49 PM

Thanks Rich!

The search worked and showed a bunch of events for the two files I ingested. I tried a search earlier today of sourcetype=BugReport, but that didn't work. I guess I need to study the search syntax more closely, maybe do some tutorials.

Thanks for the help!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2021 05:17 AM

It's important to always specify an index in your searches because the default index(es) for your role may not be the one(s) where the data resides.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...