Verify CrowdStrike data input

Verify your CrowdStrike data input in Data Inputs by checking the deployment status and reviewing ingestion metrics.

You can verify your CrowdStrike data input in Data Inputs by checking the deployment status and reviewing ingestion metrics. Use any of the following methods:

  • View the Data Inputs home page in Data Inputs.
  • On the Data Inputs page, in the Ingest inputs tab, select a CrowdStrike input name to open the details pane and review the input configuration, including sensor event filters and device enrichment settings.

Each input displays a real-time status indicator that reflects the current health of the input and its underlying connector. When the input encounters a problem, the indicator shows a warning or error state:

Warning state

Data Inputs shows a warning when the input has invalid configuration that prevents normal operation. This includes:

  • Invalid AWS credentials: the AWS access key, secret, or SQS queue URL that you provided for the input is no longer valid or accessible.
  • Invalid CrowdStrike client credentials: the API client secret has expired or someone rotated it, or an administrator removed the required Hosts read scope.

In a warning state the input continues to exist but data collection is impaired. To resolve the issue, edit the input and update the affected credentials. Once you save the input with valid credentials, the status returns to a healthy state automatically.

Error state

Data Inputs shows an error when the underlying connector fails due to an infrastructure or deployment issue that requires Splunk support to resolve. The input details page provides connector-level error detail to help you diagnose and report the problem.

  1. Log in to Splunk Cloud and select the Data Inputs app.
  2. On the Data Inputs page, select the Ingest inputs tab.
  3. Select the CrowdStrike input name to open the details pane.

    The details pane displays the input configuration, deployment status, and any alerts.

    The pane displays fields that a read-only shared configuration manages, but you cannot edit them directly. To make changes, clone the configuration first.

  4. (Optional) If the details pane shows a warning or error, follow the recovery guidance to resolve the issue.

    For credential warnings, edit the input and correct the affected fields. Because CrowdStrike client configurations are shared resources, updating the credentials applies the change to all inputs that use the same configuration.

    For connector errors, use the error detail on the input details page to initiate a Splunk support request.