Splunk Search
Highlighted

What is the format of the Sources.data file?

Contributor
$SPLUNK_HOME/var/lib/splunk/defaultdb/db/Sources.data

On a fresh install I see this file has something like this:

0 0 2147483647 0 0

What are the significance of these numbers?

Can you provide any more insight into what this file does and how it is structured?

Tags (2)
Highlighted

Re: What is the format of the Sources.data file?

Communicator

Please be aware that Sources.data is not a configuration file -- it gets overwritten by splunkd every 10 to 60 seconds.

0 Karma
Highlighted

Re: What is the format of the Sources.data file?

Communicator

The first line is special (meta-metadata? hmm); after that, lines look like

7   source::/home/v/stable/cloud/summary/global.cskv    20   1260176339  1263593861  1263593861

As far as "user-friendly" content goes, the 3rd field (in this example, 20) is the # of events.

What the *.data files do: they are nonvolatile snapshots of the metadata -- which can also be queried via splunk search. When you search | metadata type=sources | stats sum(totalCount) as count, that's the same as doing awk 'NR>1 {sum += $3} END {print sum}' Sources.data, except that querying metadata through splunk search is more likely to give you fresh totals.

Querying metadata files (*.data) is recommended only if:

  • your instance is down
  • you don't want to pollute any Splunk logs with your queries
  • you really like awk(1)       😉

View solution in original post