Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Debugging universal forwarder sinkhole ingestion

garrettsdet
Engager
‎01-20-2021 11:30 AM

Hi! I have a local setup where I have splunk Enterprise, and a single universal forwarder monitoring an arbitrary Documents folder:

The forwarder is set up to send entire files to splunk with these inputs.conf settings:

[batch://C:\Users\Currentuser\Documents\TestSplunk]
disabled = 0
sourcetype = BugReport
move_policy = sinkhole
index = sandbox

When I place a text file into this TestSplunk directory, it does disappear, showing that the forwarder had picked it up, and disposed of the file as per the move_policy. However, from Splunk enterprise, I can't seem to see evidence of the file being received. In the splunkd.log belonging to the forwarder, I don't see any message with regards to the file that it detected/sent/deleted. How would I be able to see information about this kind of thing?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2021 01:03 PM

Have you tried this search?  If not, what did you try?

index=sandbox sourcetype=BugReport earliest=0 latest=+1y
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2021 01:03 PM

Have you tried this search?  If not, what did you try?

index=sandbox sourcetype=BugReport earliest=0 latest=+1y
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

garrettsdet
Engager
‎01-20-2021 01:49 PM

Thanks Rich!

The search worked and showed a bunch of events for the two files I ingested. I tried a search earlier today of sourcetype=BugReport, but that didn't work. I guess I need to study the search syntax more closely, maybe do some tutorials.

Thanks for the help!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2021 05:17 AM

It's important to always specify an index in your searches because the default index(es) for your role may not be the one(s) where the data resides.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...