Getting Data In

How to identify in the splunkd.log when Splunk is no longer monitoring a data input?

Ant1D
Motivator

Hey,

Is there an event in splunkd.log which identifies when a stanza defined in inputs.conf which is not disabled is no longer being indexed?

Thanks in advance for your help

0 Karma

linu1988
Champion

Hello Ant1D,
Rather than going for splunkd.log you can search in splunk metadata command. You wont be finding any indication in the splunkd.log if is has been stopped for monitoring because splunk will keep on monitoring but doesn't actually read anything unless it has changed state.

|metadata type=sources index=Index_Name|where source like '%part_of_Source%'

Of course you wont be able to find if there are many hosts having the same source names.

Thanks,
L

0 Karma

pradeepkumarg
Influencer

You can check the same by running ./splunk list monitor command on the forwarder

0 Karma

Ant1D
Motivator

Yes this command will show me the inputs that Splunk is currently monitoring. It does not indicate if one of these monitored inputs is no longer being indexed for any given reason.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...