There is a endpoint on a forwarder which lists the monitors i.e. the files indexed
/servicesNS/nobody/_appname_/data/inputs/monitor/
however, this endpoint lists all files monitored and not only the ones by this app.
How can i get the files monitored by an app or the files only in the "search" app i.E. manually added by an administrator on the machine?
One workarround is to filter by the desired string in the feed.entry.id
| rename feed.entry.id AS id | rename feed.entry.title AS title | eval tmp=mvzip(title,id) | table tmp | mvexpand tmp | eval tmp=split(tmp,",")| eval file=mvindex(tmp,0) | eval id=mvindex(tmp,1) | search id="*myAppName*" | table file
Not so very nice but somewhat ok-ish
If anyone wants to do this, feel free to download the App TA-forwarderquery
https://splunkbase.splunk.com/app/2775/
This is awesome. This should be built-in!
glad you like it. open for suggestions @ncsantucci
One workarround is to filter by the desired string in the feed.entry.id
| rename feed.entry.id AS id | rename feed.entry.title AS title | eval tmp=mvzip(title,id) | table tmp | mvexpand tmp | eval tmp=split(tmp,",")| eval file=mvindex(tmp,0) | eval id=mvindex(tmp,1) | search id="*myAppName*" | table file
Not so very nice but somewhat ok-ish