Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to query a universal forwarder about the transfer status of monitored files?

cwacha
Path Finder
‎01-18-2013 12:40 AM

We are monitoring many files with the UF using the [monitor] stanza. For housekeeping reasons we need to delete the files every now and then. Now deleting a file that was not already fully transferred to the indexer would lead to data loss.

How can we find out which files have already been transferred by the UF?

Of course the UF itself does not know that a file is already complete or closed. It only sees that there was not more data added since some time. So what we need is some kind of list that shows the filenames being monitored as well as the file pointer up to what amount was already transferred.

example output:

/var/adm/messages 1233122
/var/adm/authlog 1233

Based on that our cleanup mechanism could then compare the actual size of a closed file with the size reported in the output above. If they are equal it knows that the UF has transferred everything and we can delete the file.

An alternative would also be to provide an "auto-close" function in the UF. This function would trigger the execution of a shell command (specified in inputs.conf) as soon as the file's size has not changed for "auto-close-seconds" (also specified in intputs.conf).

0 Karma
Reply

ahattrell_splun
Splunk Employee
Splunk Employee
‎01-18-2013 01:39 AM

The following command is very useful:

./splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

It lists all files monitored (and rejected for whatever reason), their size, how far
splunk has got through the file so far.

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...