https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109566#M183526 <P>You can call the endpoint directly from the CLI:</P> <PRE><CODE>./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus </CODE></PRE> Thu, 27 Mar 2014 16:36:08 GMT martin_mueller 2014-03-27T16:36:08Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109564#M183524 <P>We would like to have forwarders run as root in order to overcome file permissions. However, we also will be security hardening it as much as possible. One of these measures is to stop port 8089 on the forwarder. I assume this will not give us the ability to read the REST endpoint <A href="https://hostname:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus">https://hostname:8089/services/admin/inputstatus/TailingProcessor%3AFileStatus</A>. Are there any other ways to gather this data without the REST endpoint being available?</P> Thu, 27 Mar 2014 14:16:00 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109564#M183524 vcarbona 2014-03-27T14:16:00Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109565#M183525 <P>How about using search?<BR /> index=_internal component=TailingProcessor</P> Thu, 27 Mar 2014 16:21:18 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109565#M183525 somesoni2 2014-03-27T16:21:18Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109566#M183526 <P>You can call the endpoint directly from the CLI:</P> <PRE><CODE>./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus </CODE></PRE> Thu, 27 Mar 2014 16:36:08 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109566#M183526 martin_mueller 2014-03-27T16:36:08Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109567#M183527 <P>That would have been cool, but I get this:</P> <BLOCKQUOTE> <P>ps -ef|grep splunk</P> </BLOCKQUOTE> <P>splunk 5604 1 53 11:39 ? 00:00:13 splunkd -p 8089 restart<BR /> splunk 5605 5604 0 11:39 ? 00:00:00 [splunkd pid=5604] splunkd -p 8089 restart [process-runner]</P> <BLOCKQUOTE> <P>./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus<BR /> QUERYING: '<A href="https://127.0.0.1:8089/services/admin/inputstatus/TailingProcessor:FileStatus">https://127.0.0.1:8089/services/admin/inputstatus/TailingProcessor:FileStatus</A>'<BR /> This command [GET /services/admin/inputstatus/TailingProcessor:FileStatus] needs splunkd to be up, and splunkd is down.</P> </BLOCKQUOTE> Thu, 27 Mar 2014 16:43:24 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109567#M183527 vcarbona 2014-03-27T16:43:24Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109568#M183528 <P>So you've made port 8089 unavailable even from localhost? Then it might indeed be tough to call the REST API.</P> Thu, 27 Mar 2014 17:19:14 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109568#M183528 martin_mueller 2014-03-27T17:19:14Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109569#M183529 <P>Thanks! This actually helped us to identify some problem areas. But it appears conditions like "ignored file (crc conflict, needs crcSalt)" or "File did not match whitelist ..." do not show up.</P> Thu, 27 Mar 2014 18:45:22 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109569#M183529 vcarbona 2014-03-27T18:45:22Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109570#M183530 <P>I noticed the btprobe command shows some interesting data about the file status. It appears it is able to retrieve the modtime and seek pointer. Is it correct to assume that sptr (or seek pointer) is where the forwarder left off reading the file?</P> <P>splunk cmd btprobe -d /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/messages</P> <P>Using logging configuration at /opt/splunkforwarder/6.0.3-204106/etc/log-cmdline.cfg.<BR /> key=0xf4e82f9f021c429d scrc=0xc6e25d94afc02135 sptr=871 fcrc=0x452905a167cf4509 flen=0 mdtm=1404740503 wrtm=1404740504</P> Mon, 28 Sep 2020 17:00:28 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109570#M183530 vcarbona 2020-09-28T17:00:28Z https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109571#M183531 <P>Actually "ignored file (crc conflict, needs crcSalt)" does appear, it just has a different error. I run it as "index=_internal component=TailingProcessor ERROR salt". It shows up as an ERROR alert level. The "File did not match whitelist ..." appears when I set TailingProcessor to DEBUG level.</P> Tue, 08 Jul 2014 17:50:46 GMT https://community.splunk.com/t5/Splunk-Search/TailingProcessor-File-Status-without-port-8089/m-p/109571#M183531 vcarbona 2014-07-08T17:50:46Z