Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is splunk list inputstatus command showing files that have been deleted as still being monitored?

techols
New Member
‎08-17-2020 07:39 PM

We are using the UF to monitor multiple files which are to be considered transient.  All we want to do is get them forwarded then remove them.  We are using the splunk list inputstatus command to verify files have been forwarded, but even after removing them from the monitored location, the files still show as been open for reading using the inputstatus command. 

How long should it take for the UF to recognize the file is no longer present and should no longer to be monitored?

Is there a way to explicitly remove a file from being monitored without needing to restart the UF or add files to the blacklist?  I see there is a remove operation under https://<server>:<port>/services/admin//monitor.  What does that do?

Labels (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎08-18-2020 04:38 AM

That's a good question. Had a quick look at my lab environment and there I also see files from years ago, that have long since been deleted, still listed as "open file", but with percent=100 and the file position equal to the file size (others are listed as "finished reading).

To some extent I would say this is how the whole 'fishbucket' stuff works, where splunk keeps track of which files it has been reading from and how far it got etc. But why it lists long deleted files still as "open file" is also beyond me...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...