Archive
Highlighted

How long to wait after "splunk add oneshot" before doing searches?

Explorer

[All this is using CLI]

I do add oneshot for 3 log files one after the other.
Then I do an immediate search on the last log file which fails.

If I wait for a few seconds, the search works. My question is, is there a way for me to deterministically wait before beginning searches? I want to avoid adding sleeps as they may not work depending on how large the log file is.

Thanks!

Tags (1)
Highlighted

Re: How long to wait after "splunk add oneshot" before doing searches?

Splunk Employee
Splunk Employee

One way would be to query the tailing processor (https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus). Here is more detail that links to a python script that shows how to do this: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/