Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is splunk list inputstatus command showing files that have been deleted as still being monitored?

techols
New Member
‎08-17-2020 07:39 PM

We are using the UF to monitor multiple files which are to be considered transient.  All we want to do is get them forwarded then remove them.  We are using the splunk list inputstatus command to verify files have been forwarded, but even after removing them from the monitored location, the files still show as been open for reading using the inputstatus command. 

How long should it take for the UF to recognize the file is no longer present and should no longer to be monitored?

Is there a way to explicitly remove a file from being monitored without needing to restart the UF or add files to the blacklist?  I see there is a remove operation under https://<server>:<port>/services/admin//monitor.  What does that do?

Labels (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎08-18-2020 04:38 AM

That's a good question. Had a quick look at my lab environment and there I also see files from years ago, that have long since been deleted, still listed as "open file", but with percent=100 and the file position equal to the file size (others are listed as "finished reading).

To some extent I would say this is how the whole 'fishbucket' stuff works, where splunk keeps track of which files it has been reading from and how far it got etc. But why it lists long deleted files still as "open file" is also beyond me...

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...