How are logs appearing on a particular source type...

verifi81 · ‎07-22-2020

Hi. In my heavy forwarder I am trying to understand how logs are appearing on a particular source type.

I go to Settings < source type< and search for it. I find it. I edit it. But it's not telling me any detail on how those .csv files from the various host are getting the file to the heavy forwarder.

The universal forwarder inputs.conf file on the host does not reference the .csv files.

Anything else I can do on the heavy forwarder to find out how the host are sending to it? It's not syslog.

renjith_nair · ‎07-22-2020

Are you indexing the events on HF or forwarding it to indexer?

While searching for the events , doesn't the "source" field has information about source of the data and "host" field about the machine from where the events are pushed?

Do you have web enabled on the HF and is there a possibility of manual upload ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

verifi81 · ‎07-22-2020

The HF is forwarding to splunk cloud for indexing. No Indexing done on the HF

While searching the event the source is:

C:\monitor\splunk.csv

The CSV does exist on the host. My question is, how is the host sending this csv file to the HF? I don't see anything in the input.conf file referencing this csv.

renjith_nair · ‎07-23-2020

Do you have only one UF and one HF and all the events are going through HF before hitting index?

Is the web enabled for HF and is there a possibility of direct upload using web ?

Also search in your _internal logs and check if you are able to find any activity regarding the file upload

---
What goes around comes around. If it helps, hit it with Karma 🙂

verifi81 · ‎07-23-2020

I have lots of UFs (individual servers) and one HF. Yes all events from UFs are hitting the HF before getting indexed at the cloud.

Would you elaborate on what you mean by is the web enabled for HF and direct uploading?

On the HF I searched index=_internal and no data

verifi81 · ‎07-23-2020

Within the HF < Settings < Data Inputs < Forwarded Inputs < Files and Directories <
I see the source path c:\splunk\computers.csv there and it is ENABLED

Still doesn't answer my question about how this CSV is getting sent to the HF

renjith_nair · ‎07-24-2020

"On the HF I searched index=_internal and no data" => if you are not indexing in HF, you should search (index=_internal) in search head which is connected to indexers

"Would you elaborate on what you mean by is the web enabled for HF and direct uploading?" => If you have splunk web enabled on HF, users can login to the splunk web and upload data.

It could be on any of the forwarders or HFs and the inputs.conf can be present in multiple places. Try splunk btool to list out the inputs conf stanzas on the machine from where the file is uploaded

---
What goes around comes around. If it helps, hit it with Karma 🙂

verifi81 · ‎07-27-2020

great suggestion on the btool. i found references of the .csv file in an inputs file under

C:\Program Files\SplunkUniversalForwarder\etc\apps\ForwardedMonitor\local

I'm assuming if the stanza beings with MONITOR and then has path to the .csv and also a sourcetype specified, that would instruct the universal forwarder to send this file to the Heavy forwarder?

renjith_nair · ‎07-27-2020

Yes, that should be it. If there is no configuration for index or other parameters, it will be picked up from the default

---
What goes around comes around. If it helps, hit it with Karma 🙂

How are logs appearing on a particular source type in heavy forwarder?

configuration

using Splunk Enterprise

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms