This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.

List of Enterprise Security app log files
Log file name | Purpose |
---|---|
correlationsearches_rest_handler.log | Logs calls to the correlation searches REST handler. Indicates when the correlation searches REST handler was called. |
es_installer_controller.log | Logs calls to the Enterprise Security installer controller and provides information about activities that occurred when Enterprise Security is installed or upgraded. |
essinstall.log | Logs actions taken by the Enterprise Security setup page and provides information about the actions taken when the Enterprise Security setup page is invoked. |
eventgen.log | Logs actions taken by the event generator. Includes information about which samples were used and when data is generated. |
governance_makeCSV.log | Logs activities from the script which populates the governance lookup. Indicates when the governance script has requested a refreshing of the governance lookup file. |
governance_rest_handler.log | Logs activity from the governance REST handler which performs updates to the governance lookup file. Indicates when the governance REST handler has refreshed the governance lookup file. |
identityLookup_base_class.log | Logs activity from the identity lookup helper classes for expanding the user-editable identity lookup file in the Splunk readable format. Indicates when the user-editable identity lookup file is in the Splunk readable format; can identify errors in the identity lookup file. |
identityLookup_reload.log | Logs activity from the scripted input that invokes updates to the identity lookup file and indicates when the identify lookup file refresh is invoked. |
identityLookup_rest_handler.log | Logs activity from the identity lookup REST handler that updates the identity lookup file. Indicates when the identity lookup file is updated. |
intentions.log | core log file |
LogReviewPopup_rest_handler.log | Logs from the REST handler responsible for providing the log review configuration settings. Contains requests for or changes to log review settings. |
log_review_popup_module.log | Logs activity from the log review popup module (on the Incident Review page), and provides information about changes to notable events made from the Incident Review page. |
notable_event_status.log | Logs activity from the notable event status helper classes that manage notable event statuses, and provides information about changes to the notable event statuses. |
notable_event_suppression.log | Logs activity from the notable event suppression helper classes that manage notable event suppressions. Provides information about changes to the notable event suppressions. |
notable_event_suppression_autoDisable.log | Logs activity from the scripted input responsible for disabling expired notable event suppressions. Indicates when expired suppressions are pruned. |
notable_owners.log | Logs activity from the scripted input that updates the list of notable owners. Indicates when the list of notable owners is refreshed. |
postprocess.log | Logs activity from the scheduled post-process that takes the results from a scheduled search and performs additional processing. Indicates when search results are post-processed. |
postprocess_base_class.log | Logs activity from a post-process helper class that provides access to the post-processes. Indicates when post-processes are retrieved. |
postprocess_rest_handler.log | Logs activity of post-process REST handler. Indicates when post-processes are accessed, updated, created, or deleted. |
python.log | core log file |
python_modular_input.log | Logs activity from python-based modular inputs.Indicates when python-based modular inputs are executed and provides information useful for debugging problems with modular inputs. |
reviewstatuses_makeCSV.log | Logs activity from the script responsible for updating the review statuses lookup. Indicates when the review statuses lookup file is refreshed. |
reviewstatuses_rest_handler.log | Logs requests to the review statuses REST handler that provides access and modifications to the review statuses. Indicates when review statuses are accessed or modified. |
searches.log | core log file |
suppressions_rest_handler.log | Logs requests to the suppressions REST handler that provides access and modifications to the notable event suppressions. Indicates when the notable event suppressions are accessed or modified. |
transitioners_rest_handler.log | Logs requests to the list of people who can transition notable events statuses. Indicates when the list of notable status transitioners are requested. |
transitions_rest_handler.log | Logs requests for access to or changes to the list of transitions. Indicates when the notable event transitions are accessed or modified. |
tsidxstats_rest_handler.log | Logs requests to the TSIDX REST handler that provides information about TSIDX namespaces. Indicates when TSIDX namespace information is requested. |
Last modified on 01 July, 2014
PREVIOUS List of search macros |
NEXT Search Head Clustering |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Feedback submitted, thanks!