Are there any easier way to check file monitoring ...

daniel_splunk · ‎07-10-2017

I know I can use this command to check the file monitoring status, however, it give a huge output.

./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus -auth admin:changeme

OR

https://localhost:8089/services/admin/inputstatus

Are there any other command which also do the job?

daniel_splunk · ‎07-10-2017

Starting from splunk version 6.3 and later, you can use this command.

./splunk list inputstatus

It will return something like this.

Cooked:tcp :
        9997:192.168.1.104:8089
                time opened = 2017-07-09T17:28:47+0800

    /opt/splunk/var/log/splunk/splunkd_ui_access.log
            file position = 434781
            file size = 434781
            parent = $SPLUNK_HOME/var/log/splunk
            percent = 100.00
            type = finished reading

Here is the meaning of the output:

file position: The file pointer position that Splunk is currently reading at. If this is the same as file size, that means Splunk reach end of file (EOF).

file size : Total file size of the monitored file.

parent : If you are monitoring a directory, this tell you from which monitoring stanza the file is come from.

percent : The progress of the monitoring. If it is less than 100%, Splunk will re-visit the file again.

type: The monitoring status. It can be ‘finished reading’, ‘open file’, ‘missing’, ’directory’, 'reading (batch)'.

Remark: If you saw 'reading (batch)', that means the file that you are monitoring is greater than min_batch_size_bytes under limits.conf (default is 20M in size) and Splunk is using batch processor to process the file. It is a single thread process and will process one file at a time. (TailingProcessor is multi thread process).

Are there any easier way to check file monitoring status beside using TailingProcessor:FileStatus output

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2