Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What does the number of files in the data inputs, files and directories page indicate?

paduka
Path Finder
‎10-05-2016 02:33 PM

Hi Everyone,

I was wondering what the number of files in the data inputs, files and directories page indicate? I have attached a snapshot here.

alt text
Thanks,
Paduka

Preview file
7 KB
0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 02:39 PM

It's the number of files being monitored by Splunk for that monitor/batch data input. When you setup a data input via file/directory monitoring (and restart if deploying data input via conf files), Splunk creates a list of files that it should be watching/monitoring for changes and the column "Number of files" represent that.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2019 04:52 AM

This is what one would assume but it is definitely not the whole case. I would open a support case and also ask them to update the docs on this because it does different things for different types of inputs. For example, the Splunk_TA_nix has an input for /var/log/secure and this screen shows a value of 144 even though it only contains the exact file and 4 rotated files. This makes no sense.

0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 02:40 PM

Please note that these number get affected by settings like ignoreOlderThan, blacklist/whitelist etc.

0 Karma
Reply

paduka
Path Finder
‎10-05-2016 02:50 PM

I feel it's not that number. I have done multiple tests on this but it is never the number of files that are being monitored by Splunk using the monitor input.

0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 03:06 PM

I don't think there is 100% accurate method to know exact number of files being monitored. The inaccuracies are generally due to whitelist/blacklist regex. You can also compare the numbers from UI (the place you mentioned), from CLI (Run $Splunk_Home/bin/splunk list monitor ). The UI is actually uses Rest API Endpoint /data/input/monitor/<<URLENcodedMonitoredPath>> to get that info. See this for more info on that Rest API Endpoint.
http://docs.splunk.com/Documentation/Splunk/6.2.6/RESTREF/RESTinput#data.2Finputs.2Fmonitor.2F.7Bnam...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...