Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Are there any easier way to check file monitoring status beside using TailingProcessor:FileStatus output

daniel_splunk
Splunk Employee
Splunk Employee
‎07-10-2017 09:14 PM

I know I can use this command to check the file monitoring status, however, it give a huge output.

./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus -auth admin:changeme

OR

https://localhost:8089/services/admin/inputstatus

Are there any other command which also do the job?

0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎07-10-2017 09:17 PM

Starting from splunk version 6.3 and later, you can use this command.

./splunk list inputstatus

It will return something like this.

Cooked:tcp :
        9997:192.168.1.104:8089
                time opened = 2017-07-09T17:28:47+0800

    /opt/splunk/var/log/splunk/splunkd_ui_access.log
            file position = 434781
            file size = 434781
            parent = $SPLUNK_HOME/var/log/splunk
            percent = 100.00
            type = finished reading

Here is the meaning of the output:

file position: The file pointer position that Splunk is currently reading at. If this is the same as file size, that means Splunk reach end of file (EOF).

file size : Total file size of the monitored file.

parent : If you are monitoring a directory, this tell you from which monitoring stanza the file is come from.

percent : The progress of the monitoring. If it is less than 100%, Splunk will re-visit the file again.

type: The monitoring status. It can be ‘finished reading’, ‘open file’, ‘missing’, ’directory’, 'reading (batch)'.

Remark: If you saw 'reading (batch)', that means the file that you are monitoring is greater than min_batch_size_bytes under limits.conf (default is 20M in size) and Splunk is using batch processor to process the file. It is a single thread process and will process one file at a time. (TailingProcessor is multi thread process).

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...