Getting Data In

Debugging universal forwarder sinkhole ingestion

garrettsdet
Engager

Hi! I have a local setup where I have splunk Enterprise, and a single universal forwarder monitoring an arbitrary Documents folder:

The forwarder is set up to send entire files to splunk with these inputs.conf settings:

[batch://C:\Users\Currentuser\Documents\TestSplunk]
disabled = 0
sourcetype = BugReport
move_policy = sinkhole
index = sandbox

When I place a text file into this TestSplunk directory, it does disappear, showing that the forwarder had picked it up, and disposed of the file as per the move_policy. However, from Splunk enterprise, I can't seem to see evidence of the file being received. In the splunkd.log belonging to the forwarder, I don't see any message with regards to the file that it detected/sent/deleted. How would I be able to see information about this kind of thing?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Have you tried this search?  If not, what did you try?

index=sandbox sourcetype=BugReport earliest=0 latest=+1y
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Have you tried this search?  If not, what did you try?

index=sandbox sourcetype=BugReport earliest=0 latest=+1y
---
If this reply helps you, Karma would be appreciated.

garrettsdet
Engager

Thanks Rich!

The search worked and showed a bunch of events for the two files I ingested. I tried a search earlier today of sourcetype=BugReport, but that didn't work. I guess I need to study the search syntax more closely, maybe do some tutorials.

Thanks for the help!

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's important to always specify an index in your searches because the default index(es) for your role may not be the one(s) where the data resides.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...