Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles
How to Follow Data Through the Search PipelineEndpoint for Windows Configuration Reference GuideEndpoint Software Command Line InterfaceBasic Troubleshooting Steps (Enterprise Console)Endpoints or Results Fail to be Displayed in the ConsoleMongoDB and TLS 1.3SQL Client SQL Exception ErrorHow to Troubleshoot Spirion Client Search Failures and How to WhitelistCustomer Notice – Spirion Agent Update & Security Assessment for PostgreSQLHow to Enable Verbose/Debug Logging for the Endpoint ServiceHow can I monitor the status of a queue job?Can I monitor the job queue status automatically?Troubleshooting: "Unable to find job queue: search_queue"How to Verify the Discovery Agent's StatusHow to check if port 6433 is open on your networkWhat is the SDM Translator Service?How to Create a Single Tenant App for OneDrive and Exchange Online SearchesHow to Configure Spirion for Sybase DiscoveryHow to Use Certificates to Authenticate with SharePoint OnlineHow to Quarantine to a Remote Location Using Spirion Sensitive Data PlatformA Server Error has Occurred: How to use the Chrome Developer ToolsWhy doesn't my Oracle 19c Database scan?How to Enable Full Disk Access on a Mac AgentWhy is My Scan Node Running Out of Disk Space?What to do about Message Processing and Delays, also known as 'Lag,' in SpirionDetails About the Box API used by Spirion to Search Box AccountsHow to Build a Mac Package (PKG)How to Sanitize AgentsHow to Set User and Role AccessHow to Enable SSL Communication between Linux Agents and the Spirion ConsoleHow to Enable HTTPS for the Spirion ConsoleHow to Search BoxFAQ: How do I avoid being prompted to re-login to the Spirion console?Spirion Sensitive Data Platform Scan PerformanceHow to Authenticate to SharePoint On-PremiseHow to Configure Spirion Sensitive Data Platform to Connect to an Oracle DatabaseFAQ: Linux 12.5 Client Package Build WorkaroundTroubleshoot Exchange Online Using Microsoft Graph ExplorerFAQ: What to do when an agent will not start the discovery team scan?Required SQL Server PermissionsHow to Scan Microsoft Teams with Spirion Sensitive Data PlatformField Input Using Linux Machines Anti-virus Alerts Received during Spirion SearchVersion 13.6 MSI Installation Issues - Exe file not signedWhat are common firewall rules needed for distributed scans?
Release Notes

How to Follow Data Through the Search Pipeline

Use this topic to follow data through the search pipeline from the client environment to the server environment.


Before you start

  1. Is this a single-agent scan or a distributed scan?
    • Distributed: One endpoint is the “discovery host” and others are “search workers.”
  3. What is the scan ID / scan start time?
    • Helps find the right section of logs and the correct per-scan queue table (search_queue_<scanId>).

Step 1: Was it discovered (was work created)?

Goal: Confirm the “to-do list” was created in the Job Queue.

What Logs to Check

  • On the discovery host, review identityfinderCMD.exe (IDF/SystemSearch) logs for evidence it: created the per-scan queue table, and inserted jobs as Pending.

Step 2: Was it scanned (did a search agent pick up the work)?

Goal: Confirm search workers are claiming and processing jobs.

What Logs to Check

  • On one or more search agents, review identityfinderCMD.exe logs for ‘read the queue’ messages and LOCATION SEARCHED events

Step 3: Were results staged for shipping (did results enter the Shipper Queue)?

Goal: Confirm results were written to shipper_queue locally.

What Logs to Check

  • On the endpoint doing the searching, review identityfinderCMD.exe logs for evidence it published results into the shipper queue (results are staged before jobs are considered fully done).

Step 4: Were results shipped (did the Shipper send them to Ingress)?

Goal: Confirm the IDFMessagingSvc.exe (IFS/Shipper) is draining shipper_queue and posting to Ingress.

What Logs to Check

  • Review IDFMessagingSvc.exe IFS logs for successful POST to Ingress (HTTP success) and retries/failures if Ingress is unreachable.

Step 5: Server side: did Ingress stream it to Kafka?

Goal: Ingress received the shipped payload and streamed it to Kafka.

What Logs to Check

  • Review Ingress service logs (match up timestamps). Confirm you see batches are received and produced/streamed to Kafka.

Step 6 — Server side: did SearchPersistence consume from Kafka and write SQL Server?

Goal: SearchPersistence consumed the message from Kafka and uploaded/wrote it into SQL Server.

What Logs to Check

  • Search SearchPersistence logs for the CorrelationID also found in the IFS log.

Quick “where is it stuck?” cheat sheet

  • Not discovered → Discovery logs never show targets → issue in Discovery stage.
  • Discovered but not scanned → job queue created, but workers never claim → worker connectivity/queue access/timing issue.
  • Scanned but no results staged → search completes, but no shipper queue inserts → result staging/publishing issue.
  • Staged but not delivered → shipper queue grows, IFS shows failures → shipping/connectivity issue.
  • Delivered but not visible in UI → IFS shipped OK, but Ingress/SearchPersistence missing CorrelationID → server-side ingestion/persistence issue.

What to Collect for Escalation

  • identityfinderCMD IDF logs (discovery + search)
  • IDFMessagingSvc IFS logs (shipper) with CorrelationIDs
  • Ingress logs around the same time window
  • SearchPersistence logs around the same time window with CorrelationIDs
  • Scan start time + timezone, scanId, and whether distributed scan


Was this article helpful?

Powered by Product Fruits