SPL

How to Check When Splunk is finished Indexing a log file

Description

Submitted by Suren

How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching data from splunk's metrics log in real-time. ************************************************************

2 0

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="your_sourcetype_here" | eval MB=kb/1024 | chart sum(MB)

************************************************************ or to watch everything happening split by sourcetype.... ************************************************************

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series

************************************************************ And if you're having trouble with a data input and you want a way to troubleshoot it, particularly if your whitelist/blacklist rules arent working the way you expect, go to this URL: https://yoursplunkhost:8089/services/admin/inputstatus

Comments

1 total

SplunkNinja

1/14/2016

Awesome query thanks for sharing! I ran this (slight modification of your query) and it was interesting to see the spike in throughput along with traffic patterns with our iis data source: index=\"_internal\" source=\"*metrics.log\" group=\"per_sourcetype_thruput\" series=\"iis\" | eval MB=kb/1024 | timechart sum(MB)

You must log in to post a comment.

How to Check When Splunk is finished Indexing a log file

Description

Comments

Leave a comment