Solved: How to see a list of files that Splunk is currentl...

s1j1yem1x · ‎09-19-2019

I want to list out the current data inputs,

I ran the following command:

C:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor

Splunk prompted me for username and password, I entered my admin username and password, but I did not see a list of files that Splunk is currently monitoring.

Instead the command prompt reverted back to:

C:\Program Files\SplunkUniversalForwarder\bin

What am I doing wrong? Thanks for your help

woodcock · ‎09-20-2019

Splunk should always be monitoring it's own flies inside of $SPLUNK_HOME/var/logs/splunk/*.log unless you told it not to. The real problem is that you are on Windows and using cmd.exe so the output does not show to the screen easily. What I always do is install mobaxterm (https://download.mobatek.net/1222019090914414/MobaXterm_Installer_v12.2.zip) and run my commands in a *NIX-like environment.

Short of that, simply run cmd.exe with run as administrator and instead of opening a popup that immediately closes (which you obviously have not even noticed because it happens so quickly), it will pipe the output to your screen the way that you expect.

P.S. This is probably the real answer and you should probably unaccept the other one and accept this one because this one actually contains a solution that gives you the output.

View solution in original post

woodcock · ‎09-20-2019

Splunk should always be monitoring it's own flies inside of $SPLUNK_HOME/var/logs/splunk/*.log unless you told it not to. The real problem is that you are on Windows and using cmd.exe so the output does not show to the screen easily. What I always do is install mobaxterm (https://download.mobatek.net/1222019090914414/MobaXterm_Installer_v12.2.zip) and run my commands in a *NIX-like environment.

Short of that, simply run cmd.exe with run as administrator and instead of opening a popup that immediately closes (which you obviously have not even noticed because it happens so quickly), it will pipe the output to your screen the way that you expect.

P.S. This is probably the real answer and you should probably unaccept the other one and accept this one because this one actually contains a solution that gives you the output.

s1j1yem1x · ‎09-20-2019

Thank you @woodcock. You're the best! It works. I used Windows Powershell (Admin), issued C:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor and it displayed list of files that Splunk is currently monitoring. Thank you again.

joesrepsolc · ‎07-31-2020

Can someone go over these steps more clearly? Still trying to list all the monitors from a Windows UF. No matter what I do I cannot seem to get this to work! I have the splunk account/password that the UF runs as, and I can login to the Windows host... tried command.exe as well as powershell, just cannot get it to output any data.

Trying to validate how many files this UF is monitoring. Assuming its up over 100,000 files and need to prove it. Thanks! Joe

s1j1yem1x · ‎09-20-2019

Just want to quickly add that I installed Splunk on a personal computer and not on a server. How can I monitor at least some files on my PC just to prove that the Forwarder is monitoring something? Thanks.

woodcock · ‎09-20-2019

When you have entered the correct login and PW the first time for your connection/session, it is cached and will not prompt you to authenticate again if you enter another command that would normally require it. I suspect that you entered invalid credentials. Based on what I just said, you can test for this by issuing the same command again. If it prompts you for credentials again, then you know that the previous attempt failed so the problem is your credentials. If it just returns the shell prompt, then the command did run and the "problem" is that splunk is not monitoring any files on that forwarder.

s1j1yem1x · ‎09-20-2019

Thanks for your insight @woodcock. I issued the same command again. It didn't prompt me for credentials again, it just returns the shell prompt. Like you said, is it okay to assume that "the command did run and splunk is not monitoring any files on that forwarder?" Thank you so much.

s1j1yem1x · ‎09-20-2019

Just want to quickly add that I installed Splunk on a personal computer and not on a server. How can I monitor at least some files on my PC just to prove that the Forwarder is monitoring something? Thanks.

richgalloway · ‎09-20-2019

Did you enter the admin name and password for the forwarder? These would be the credentials set up when the forwarder was installed, not your personal login.

---
If this reply helps you, Karma would be appreciated.

s1j1yem1x · ‎09-20-2019

Thanks for the response @richgalloway . I used the same username and password for Splunk Enterprise and Forwarder. Looks like that's a bad decision or how can I change the Forwarder password? Thanks a lot.

How to see a list of files that Splunk is currently monitoring?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!