Solved: How to find status of files being monitored?

wdsjon · ‎07-23-2015

Is there a command or somewhere to look regarding the status of file monitoring? I've set up a UF on an rsyslog machine with tons or currently residing text log files in nested directories that I've created a monitoring stanza for in an inputs.conf. Question - Is there a way from the universal forwarder to see the status of the files it's reading? I've been able to get sort of an idea with lsof , but some of the files are 50GB+. Thanks!

jnussbaum_splun · ‎07-23-2015

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

should get you done.

View solution in original post

jnussbaum_splun · ‎07-23-2015

$SPLUNK_HOME/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

should get you done.

robertlynch2020 · ‎01-14-2021

Sorry i am gettign this when i do that

bash$ splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
QUERYING: 'https://127.0.0.1:9089/services/admin/inputstatus/TailingProcessor:FileStatus'
This command [GET /services/admin/inputstatus/TailingProcessor:FileStatus] needs splunkd to be up, and splunkd is down.
dell425srv autoengine /dell425srv3/apps/AMBER_FWD/splunkforwarder_AMBER_PSC47_SEC1/splunkforwarder/bin/
bash$

martin_mueller · ‎07-23-2015

You're looking for this: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

How to find status of files being monitored?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector