Splunk logfiles
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Splunk logfiles
Splunk keeps track of its activity by logging to various files in $SPLUNK_HOME/var/log/splunk. You can search these files through SplunkWeb by typing:
index::_internalInternal logs
Here is a complete list with descriptions of the internal logs in $SPLUNK_HOME/var/log/splunk. Splunk's internal logs are useful for troubleshooting or metric analysis.
dirmon.log
File tracking log containing information on all files that have been consumed, including tailing and network inputs.
DirMonCompleted.log
A log of files successfully processed by the directory monitor.
DirMonDuplicate.log
A log of files rejected by the directory monitor as already loaded.
DirMonError.log
A log of files the directory monitor failed to open and load successfully.
metrics.log
Contains information about cpu usage and Splunk's data processing.
searchhistory.log
A log of all searches performed on the server since installation or the most recent splunk clean command.
splunkd_stdout.log
The Unix standard output device for the server.
splunkd_stderr.log
The Unix standard error device for the server.
splunklogger.log
A subset of the Splunk server's own log events since installation or the most recent splunk clean command. This file is sent to index::splunklogger and can be searched through SplunkWeb.
splunkd.log
A record of actions made by the Splunk server. May be requested by Splunk Support for troubleshooting purposes.
web_access.log
A record of actions made by SplunkWeb, in an Apache access_log format.
web_service.log
A record of actions made by SplunkWeb.
debug
Splunk has a built-in CLI debugging command. Navigate to Splunk's CLI $SPLUNK_HOME/bin and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
./splunk start --debug
This command outputs logs to $SPLUNK_HOME/var/log/splunk/splunkd.log. To turn off debugging, stop or restart Splunk.
Please note: running Splunk with debugging turned on outputs a large amount of information. Make sure you do not leave debugging on for any significant length of time.
log.cfg
For more granular debugging messages, you can change log levels by editing $SPLUNK_HOME/etc/log.cfg. This will effect what gets outputted to Splunk's internal logs.
You can change the following categories in log.cfg. Set the category you wish to debug from WARN or INFO to DEBUG.
rootCategory=WARN,A1 category.LicenseManager=INFO category.TcpOutputProc=INFO category.TcpInputProc=INFO category.UDPInputProcessor=INFO category.SavedSplunker=INFO category.DistributedMgr=INFO category.DistributedExecutionContext=INFO category.DistributedDeploymentProcessor=INFO category.DistributedDeploymentClientProcessor=INFO category.DistributedDeploymentClientMgr=INFO category.DistributedDeploymentMgr=INFO category.ThruputProcessor=WARN category.ShutdownHandler=WARN # leave loader at INFO! this is what gives us our build + system info... category.loader=INFO category.ulimit=INFO category.SearchPerformance=INFO category.SearchPipelinePerformance=WARN
To change the maximum size of a log file before it rolls, change the maxFileSize value (in bytes) for the desired file:
appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.maxFileSize=250000000
appender.A1.maxBackupIndex=5
appender.A1.layout=PatternLayout
appender.A1.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l} %-5p %c - %m%n
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.