Hi Everyone,
I was wondering what the number of files in the data inputs, files and directories page indicate? I have attached a snapshot here.
Thanks,
Paduka
It's the number of files being monitored by Splunk for that monitor/batch data input. When you setup a data input via file/directory monitoring (and restart if deploying data input via conf files), Splunk creates a list of files that it should be watching/monitoring for changes and the column "Number of files" represent that.
This is what one would assume but it is definitely not the whole case. I would open a support case and also ask them to update the docs on this because it does different things for different types of inputs. For example, the Splunk_TA_nix has an input for /var/log/secure
and this screen shows a value of 144
even though it only contains the exact file and 4 rotated files. This makes no sense.
Please note that these number get affected by settings like ignoreOlderThan, blacklist/whitelist etc.
I feel it's not that number. I have done multiple tests on this but it is never the number of files that are being monitored by Splunk using the monitor input.
I don't think there is 100% accurate method to know exact number of files being monitored. The inaccuracies are generally due to whitelist/blacklist regex. You can also compare the numbers from UI (the place you mentioned), from CLI (Run $Splunk_Home/bin/splunk list monitor ). The UI is actually uses Rest API Endpoint /data/input/monitor/<<URLENcodedMonitoredPath>>
to get that info. See this for more info on that Rest API Endpoint.
http://docs.splunk.com/Documentation/Splunk/6.2.6/RESTREF/RESTinput#data.2Finputs.2Fmonitor.2F.7Bnam...