Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Are there any easier way to check file monitoring status beside using TailingProcessor:FileStatus output

daniel_splunk
Splunk Employee
Splunk Employee
‎07-10-2017 09:14 PM

I know I can use this command to check the file monitoring status, however, it give a huge output.

./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus -auth admin:changeme

OR

https://localhost:8089/services/admin/inputstatus

Are there any other command which also do the job?

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎07-10-2017 09:17 PM

Starting from splunk version 6.3 and later, you can use this command.

./splunk list inputstatus

It will return something like this.

Cooked:tcp :
        9997:192.168.1.104:8089
                time opened = 2017-07-09T17:28:47+0800

    /opt/splunk/var/log/splunk/splunkd_ui_access.log
            file position = 434781
            file size = 434781
            parent = $SPLUNK_HOME/var/log/splunk
            percent = 100.00
            type = finished reading

Here is the meaning of the output:

file position: The file pointer position that Splunk is currently reading at. If this is the same as file size, that means Splunk reach end of file (EOF).

file size : Total file size of the monitored file.

parent : If you are monitoring a directory, this tell you from which monitoring stanza the file is come from.

percent : The progress of the monitoring. If it is less than 100%, Splunk will re-visit the file again.

type: The monitoring status. It can be ‘finished reading’, ‘open file’, ‘missing’, ’directory’, 'reading (batch)'.

Remark: If you saw 'reading (batch)', that means the file that you are monitoring is greater than min_batch_size_bytes under limits.conf (default is 20M in size) and Splunk is using batch processor to process the file. It is a single thread process and will process one file at a time. (TailingProcessor is multi thread process).

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...