in DevOps Culture by
How can I understand when Splunk has finished indexing a log file?

1 Answer

0 votes
by
We can figure this out:

By watching data from Splunk’s metrics log in real-time:

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" series="<your_sourcetype_here>" |

eval MB=kb/1024 | chart sum(MB)

By watching everything split by source type:

index="_internal" source="*metrics.log" group="per_sourcetype_thruput" | eval MB=kb/1024 | chart sum(MB) avg(eps) over series

If we are having trouble with data input and we want a way to troubleshoot it, particularly if our whitelist/blacklist rules are not working the way we expected, we will go to the following URL:
...