Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are there any easier way to check file monitoring status beside using TailingProcessor:FileStatus output

daniel_splunk
Splunk Employee
Splunk Employee
‎07-10-2017 09:14 PM

I know I can use this command to check the file monitoring status, however, it give a huge output.

./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus -auth admin:changeme

OR

https://localhost:8089/services/admin/inputstatus

Are there any other command which also do the job?

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎07-10-2017 09:17 PM

Starting from splunk version 6.3 and later, you can use this command.

./splunk list inputstatus

It will return something like this.

Cooked:tcp :
        9997:192.168.1.104:8089
                time opened = 2017-07-09T17:28:47+0800

    /opt/splunk/var/log/splunk/splunkd_ui_access.log
            file position = 434781
            file size = 434781
            parent = $SPLUNK_HOME/var/log/splunk
            percent = 100.00
            type = finished reading

Here is the meaning of the output:

file position: The file pointer position that Splunk is currently reading at. If this is the same as file size, that means Splunk reach end of file (EOF).

file size : Total file size of the monitored file.

parent : If you are monitoring a directory, this tell you from which monitoring stanza the file is come from.

percent : The progress of the monitoring. If it is less than 100%, Splunk will re-visit the file again.

type: The monitoring status. It can be ‘finished reading’, ‘open file’, ‘missing’, ’directory’, 'reading (batch)'.

Remark: If you saw 'reading (batch)', that means the file that you are monitoring is greater than min_batch_size_bytes under limits.conf (default is 20M in size) and Splunk is using batch processor to process the file. It is a single thread process and will process one file at a time. (TailingProcessor is multi thread process).

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...