Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What does the number of files in the data inputs, files and directories page indicate?

paduka
Path Finder
‎10-05-2016 02:33 PM

Hi Everyone,

I was wondering what the number of files in the data inputs, files and directories page indicate? I have attached a snapshot here.

alt text
Thanks,
Paduka

Preview file
1 KB
0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 02:39 PM

It's the number of files being monitored by Splunk for that monitor/batch data input. When you setup a data input via file/directory monitoring (and restart if deploying data input via conf files), Splunk creates a list of files that it should be watching/monitoring for changes and the column "Number of files" represent that.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2019 04:52 AM

This is what one would assume but it is definitely not the whole case. I would open a support case and also ask them to update the docs on this because it does different things for different types of inputs. For example, the Splunk_TA_nix has an input for /var/log/secure and this screen shows a value of 144 even though it only contains the exact file and 4 rotated files. This makes no sense.

0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 02:40 PM

Please note that these number get affected by settings like ignoreOlderThan, blacklist/whitelist etc.

0 Karma
Reply

paduka
Path Finder
‎10-05-2016 02:50 PM

I feel it's not that number. I have done multiple tests on this but it is never the number of files that are being monitored by Splunk using the monitor input.

0 Karma
Reply

somesoni2
Revered Legend
‎10-05-2016 03:06 PM

I don't think there is 100% accurate method to know exact number of files being monitored. The inaccuracies are generally due to whitelist/blacklist regex. You can also compare the numbers from UI (the place you mentioned), from CLI (Run $Splunk_Home/bin/splunk list monitor ). The UI is actually uses Rest API Endpoint /data/input/monitor/<<URLENcodedMonitoredPath>> to get that info. See this for more info on that Rest API Endpoint.
http://docs.splunk.com/Documentation/Splunk/6.2.6/RESTREF/RESTinput#data.2Finputs.2Fmonitor.2F.7Bnam...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...