Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Spotting when a file has been finished indexing?

szabados
Communicator
‎10-12-2015 12:33 AM

I have a monitor input, which rarely has new files, and I'd like set up an alert for it. How can I find something about when a file has been finished reading in ?

Tags (3)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-12-2015 01:15 AM

Hi szabados,

take a look at this great blog post http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ where you learn to use the REST endpoint of the TailingProcessor to show its activities and what files are currently being read.

Hope this helps ...

cheers, MuS

0 Karma
Reply

szabados
Communicator
‎10-13-2015 12:14 AM

Thanks, but my idea was to set up an alert in splunk, based on the contents of the internal log of the forwarder.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-14-2015 01:50 PM

You could enable debugging on the TailingProcessor on the forwarder http://docs.splunk.com/Documentation/Splunk/6.3.0/Troubleshooting/Enabledebuglogging and look what is reported in index=_internal or read the docs here http://docs.splunk.com/Documentation/Splunk/latest/Data/Troubleshoottheinputprocess

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...