Getting Data In

What does the number of files in the data inputs, files and directories page indicate?

paduka
Path Finder

Hi Everyone,

I was wondering what the number of files in the data inputs, files and directories page indicate? I have attached a snapshot here.

alt text
Thanks,
Paduka

0 Karma

somesoni2
Revered Legend

It's the number of files being monitored by Splunk for that monitor/batch data input. When you setup a data input via file/directory monitoring (and restart if deploying data input via conf files), Splunk creates a list of files that it should be watching/monitoring for changes and the column "Number of files" represent that.

0 Karma

woodcock
Esteemed Legend

This is what one would assume but it is definitely not the whole case. I would open a support case and also ask them to update the docs on this because it does different things for different types of inputs. For example, the Splunk_TA_nix has an input for /var/log/secure and this screen shows a value of 144 even though it only contains the exact file and 4 rotated files. This makes no sense.

0 Karma

somesoni2
Revered Legend

Please note that these number get affected by settings like ignoreOlderThan, blacklist/whitelist etc.

0 Karma

paduka
Path Finder

I feel it's not that number. I have done multiple tests on this but it is never the number of files that are being monitored by Splunk using the monitor input.

0 Karma

somesoni2
Revered Legend

I don't think there is 100% accurate method to know exact number of files being monitored. The inaccuracies are generally due to whitelist/blacklist regex. You can also compare the numbers from UI (the place you mentioned), from CLI (Run $Splunk_Home/bin/splunk list monitor ). The UI is actually uses Rest API Endpoint /data/input/monitor/<<URLENcodedMonitoredPath>> to get that info. See this for more info on that Rest API Endpoint.
http://docs.splunk.com/Documentation/Splunk/6.2.6/RESTREF/RESTinput#data.2Finputs.2Fmonitor.2F.7Bnam...

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...