How to check status of indexing?

pradjswl · ‎05-04-2017

I am using splunk-enterprise in my local machine. I have configured 4 Files/Directory monitoring for the data indexing. I added one file in all of the directory. I dont see the data from 4ht directory getting indexed and shown in splunk result. Thought i do see the data from other 3 directory getting indexed and displayed in search result. Is there a way I can check the status if the data from that directory is really indexed or not . I am looking for an approach other than searching for that data in search query, as I already know the search is not returning the result from that source type.

richgalloway · ‎05-04-2017

Since you have 3 of the 4 directories indexed we can monitoring is working correctly. That means either 1) the monitor settings for the 4th directory are incorrect; or 2) the query searching for directory 4 is incorrect. Double-check your monitor settings and compare them to your query.

---
If this reply helps you, Karma would be appreciated.

DalJeanis · ‎05-04-2017

I'd also carefully check the conf settings for the fourth source type and see if any values have not been updated correctly.

I'd also do a quick search to see if maybe the results WAS indexed, but was marked with the wrong sourcetype...

(a search that returns one specific record from the test file) 
| stats count as totalcount dc(sourcetype) as distinctcount by _raw

How to check status of indexing?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...