Refine your search:

how can i tell when splunk is finished indexing a log file?

8

Is there an internal log message that will tell me when Splunk has finished indexing a file?

asked 10 Feb '10, 05:20

Alan%20Bradley's gravatar image

Alan Bradley
8606734
accept rate: 100%

3 Answers:
oldestnewestmost voted
6

  • When "monitoring" a file, Splunk never "finishes" since it can not know that when it reaches the end of the file that it will not be appended. Reaching the end of file is not recorded, since in normal operation, Splunk will often reach the end of file on every single event in the monitored log file, since it can read faster than logs are usually written.

  • In batch mode, the file will be deleted when it is finished.

  • In oneshot mode, you can query the REST API at https://localhost:8089/services/data/inputs/oneshot to see if the input is present; if it isn't, then indexing is complete.

link

answered 10 Feb '10, 06:51

gkanapathy's gravatar image

gkanapathy ♦
26.4k1622
accept rate: 42%

6

If you want to be able to tell yourself, as opposed to a script or other process being able to tell, the real-time search feature available in 4.1 can be very handy.

The simplest way is to run a real-time search in the main search interface, searching for whatever sourcetype, source and/or host that you're indexing the data with.

I recommend using an unbounded real-time search, ie the "Real Time > All time (real-time)" entry in the TimeRangePicker pulldown.

Then start the indexing, and you'll see the data pouring in. When the event numbers stop changing or when the rate of change drops down to whatever the real-time rate is, that means it's done or at least caught up to real-time.

A more interesting way is to watch the data from splunk's metrics log in real-time.

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="<your_sourcetype_here>" | eval MB=kb/1024 | chart sum(MB)

or to watch everything happening split by sourcetype....

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series

(To get the same functionality for indexes, hosts, sources. just change per_sourcetype_thruput to one of per_index_thruput, per_host_thruput, per_source_thruput.)

And if you're having trouble with a data input and you want a way to troubleshoot it, particularly if your whitelist/blacklist rules arent working the way you expect, go to this URL:

https://yoursplunkhost:8089/services/admin/inputstatus

NOTE: You'll have to click through a bunch of browser security exceptions because splunkd has a self-signed cert and browsers are suspicious of this.

But that page will actually tell you status on every file matched by every input and whether it's matching a blacklist rule or a whitelist rule.

link

answered 05 Apr '10, 18:09

nick's gravatar image

nick ♦
14.2k1318
accept rate: 46%

edited 14 Jan '11, 08:53

3

It looks like there is a newer option where you can get some of this information from a REST call. You can point your browser the the following URL (make sure you adjust for your server/port) and see what your monitor stanzas are up to:

https://splunk-server:8089/services/admin/inputstatus/TailingProcessor:FileStatus

It looks that file that were completely read show up with a "percent" of "100.00", also the "type" shows up as "finished reading". I haven't seen any files that not yet caught up, so I'm not sure what that looks like exactly, but I would assume that the "file position" and "file size" would not line up in such cases. Anyways, this may be another way to get the desired information.

(I'm not sure when this was first introduced, but it's available on my 4.1.3 installs)

link

answered 07 Jul '10, 15:21

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 07 Jul '10, 15:26

1

This was introduced in 4.1 as development debug endpoint point. It is not part of the QA testing and its efficiency at scale is still a bit of an unknown. Useful tool but its information should be taken with a grain of salt.

(07 Jul '10, 21:53) Alan Bradley
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×327
×147
×103

Asked: 10 Feb '10, 05:20

Seen: 1,507 times

Last updated: 14 Jan '11, 08:53

Related questions

Daily Indexing Blown away by Universal Forwarder and Performance Monitoring

Host name extraction via regex on indexing - Only indexing a single file?

A few events from a single log source file are getting stuck together at indexing - why?

file and folder monitoring NOT indexing

How to resume indexing a file after Splunk ignores it?

Log File Monitoring for specific string, rotating log file names, server requirements

Copyright © 2005-2012 Splunk, Inc. All rights reserved.