How to check status of indexing?

pradjswl · ‎05-04-2017

I am using splunk-enterprise in my local machine. I have configured 4 Files/Directory monitoring for the data indexing. I added one file in all of the directory. I dont see the data from 4ht directory getting indexed and shown in splunk result. Thought i do see the data from other 3 directory getting indexed and displayed in search result. Is there a way I can check the status if the data from that directory is really indexed or not . I am looking for an approach other than searching for that data in search query, as I already know the search is not returning the result from that source type.

richgalloway · ‎05-04-2017

Since you have 3 of the 4 directories indexed we can monitoring is working correctly. That means either 1) the monitor settings for the 4th directory are incorrect; or 2) the query searching for directory 4 is incorrect. Double-check your monitor settings and compare them to your query.

---
If this reply helps you, Karma would be appreciated.

DalJeanis · ‎05-04-2017

I'd also carefully check the conf settings for the fourth source type and see if any values have not been updated correctly.

I'd also do a quick search to see if maybe the results WAS indexed, but was marked with the wrong sourcetype...

(a search that returns one specific record from the test file) 
| stats count as totalcount dc(sourcetype) as distinctcount by _raw

How to check status of indexing?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor