Why is splunk list inputstatus command showing fil...

techols · ‎08-17-2020

We are using the UF to monitor multiple files which are to be considered transient. All we want to do is get them forwarded then remove them. We are using the splunk list inputstatus command to verify files have been forwarded, but even after removing them from the monitored location, the files still show as been open for reading using the inputstatus command.

How long should it take for the UF to recognize the file is no longer present and should no longer to be monitored?

Is there a way to explicitly remove a file from being monitored without needing to restart the UF or add files to the blacklist? I see there is a remove operation under https://<server>:<port>/services/admin//monitor. What does that do?

FrankVl · ‎08-18-2020

That's a good question. Had a quick look at my lab environment and there I also see files from years ago, that have long since been deleted, still listed as "open file", but with percent=100 and the file position equal to the file size (others are listed as "finished reading).

To some extent I would say this is how the whole 'fishbucket' stuff works, where splunk keeps track of which files it has been reading from and how far it got etc. But why it lists long deleted files still as "open file" is also beyond me...

Why is splunk list inputstatus command showing files that have been deleted as still being monitored?

forwarder

forwarder management

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!