Is there a REST API call or other method to check ...

anoopambli · ‎10-15-2015

I have a customer complaining that one of the sourcetype data is not appearing for couple of days in the past. I see the files for those dates are available in customer's server, but Splunk didn't pick them up for only few days. (10th - 14th) on all other days it worked. I don't find anything wrong with the Splunk config and couldn't find anything from the logs which says an issue about Splunk.

Question is, is there a REST call or any other method to find which files a Splunk forwarder processed in the past? Like if I wanted to check which files were processed by splunkforwarder yesterday; is there a way to find that?

Yasaswy · ‎10-15-2015

Hi, something like
index=_internal host=yourForwarder earliest=-1d@d latest=@d per_source_thruput|stats avg(kb) by series
might help

maciep · ‎10-15-2015

I don't think this is what you're looking for exactly, but this should give you an idea of the files splunk is tailing.

index=_internal sourcetype=splunkd component="TailingProcessor" "adding watch"

anoopambli · ‎10-16-2015

thanks for your reply. If i am not wrong splunkd will show those entries in log only after a recycle of forwarder.

Is there a REST API call or other method to check which files were processed by a Splunk forwarder in the past?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services