Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to query a universal forwarder about the transfer status of monitored files?

cwacha
Path Finder
‎01-18-2013 12:40 AM

We are monitoring many files with the UF using the [monitor] stanza. For housekeeping reasons we need to delete the files every now and then. Now deleting a file that was not already fully transferred to the indexer would lead to data loss.

How can we find out which files have already been transferred by the UF?

Of course the UF itself does not know that a file is already complete or closed. It only sees that there was not more data added since some time. So what we need is some kind of list that shows the filenames being monitored as well as the file pointer up to what amount was already transferred.

example output:

/var/adm/messages 1233122
/var/adm/authlog 1233

Based on that our cleanup mechanism could then compare the actual size of a closed file with the size reported in the output above. If they are equal it knows that the UF has transferred everything and we can delete the file.

An alternative would also be to provide an "auto-close" function in the UF. This function would trigger the execution of a shell command (specified in inputs.conf) as soon as the file's size has not changed for "auto-close-seconds" (also specified in intputs.conf).

0 Karma
Reply

ahattrell_splun
Splunk Employee
Splunk Employee
‎01-18-2013 01:39 AM

The following command is very useful:

./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

It lists all files monitored (and rejected for whatever reason), their size, how far
splunk has got through the file so far.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...