Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security 8.x documentation.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Enable Debug Logging in Splunk Enterprise Security

You can enable debug logging for each component in Splunk Enterprise Security. See Enable debug logging in the Splunk Enterprise Troubleshooting Manual for general information about debug logging.

Enable Debug Logging for Adaptive Response Actions

Adaptive Response Actions have a global param.verbose setting that can be applied to the alert_actions.conf file to affect all invocations of the action. You can also use the savedsearches.conf file to place the action in "debug mode" for action invocations specific to that saved search.

To enable debug logging through the CLI, edit the savedsearches.conf file as follows:

## $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf
[<search_name>]
...
action.<action_name>.param.verbose = true
...

After changing the parameter, reload savedsearches from the UI.

To enable debug logging through the GUI, set verbose to true in the following location:

  1. From the Splunk platform menu bar, select Settings and click Searches, Reports, and Alerts.
  2. Search for the name of saved search using the search filter.
  3. Click Edit > Advanced Edit.
  4. Scroll to action.<action_name>.param.verbose
  5. Set it to true.
  6. Click Save.

See Set up adaptive response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for general information about adaptive response actions.

Enable Debug Logging for Custom Search Commands protocol, Version 2

See Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise in the Developer Guide on the Developer Portal for information about version 2 of the Custom Search Command protocol.

You can use the "| noop log_DEBUG=*" command to set the Version 2 Custom Search Command protocol, or chunked, logging level to debug. This works due to a stream handler that sends the logging output to the sys.stderr stream, which is used by searches and displayed in the search.log.

To set the noop command, append it to the end of your chunked custom search, for example:

| ... | <chunked_search_command> | noop log_DEBUG=*

Enable Debug Logging for Custom Search Command protocol, Version 1

Version 1 of the Custom Search Command protocol, or Intersplunk search command, currently does not respect "| noop log_DEBUG=*". Log levels can only be modified by altering the command python script at your own risk. Intersplunk search commands currently log to their own explicit log files instead of search.log.

See Create custom search commands for apps in Splunk Cloud or Splunk Enterprise in the Developer Guide on the Developer Portal for information about version 1 of the Custom Search Command protocol.

Enable Debug Logging for Extensible Administration Interface Handlers

Extensible Administration Interface (EAI) handlers log levels can be modified by altering the handler python script at your own risk.

See [admin_external:<uniqueName>] from restmap.conf in the Splunk Enterprise Admin Manual for general information about EAI handlers.

Enable Debug Logging for Modular Inputs

Modular inputs use a globally defined "debug" setting" that can be toggled in the inputs.conf file.

To enable debug logging through the CLI, edit the inputs.conf file as follows:

## $SPLUNK_HOME/etc/apps/<app>/local/inputs.conf
[<modular_input_name>://<module_input_instance>]
debug = true

To enable debug logging through the UI for most modular inputs, it is similar to the following:

  1. From the Splunk platform menu bar, select Settings and click Data inputs.
  2. Select a modular input such as Threat Intelligence Manager.
  3. Click an input such as da_ess_threat_local.
  4. Check the check box for Debug.
  5. Click Save.

To enable debug logging through the UI for Asset and Identity Management:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Global Settings tab.
  3. Enable the toggle switch for Debug Mode.
  4. Click Save.

See Create custom data inputs for Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal for information about modular inputs.

Enable Debug Logging for Script Handlers

Script handlers can use the script.args.<N> = debug setting in the restmap.conf file to enable debug mode (N here is an integer). Please note that the scripttype setting must be set to "persist" for this to work.

You cannot currently edit script.args in the restmap.conf file through the GUI.

To enable debug logging through the CLI, edit the restmap.conf file as follows:

## $SPLUNK_HOME/etc/apps/<app>/local/restmap.conf
[script:<script_handler_name>]
...
script.arg.<N> = debug
...

See restmap.conf in the Splunk Enterprise Admin Manual for general information about script handlers.

Enable Debug Logging for Scripted Lookups

No UI or CLI methods are available for enabling debug logging of scripted lookups.

See Configure external lookups in the Splunk Enterprise Knowledge Manager Manual for general info about scripted lookups.

Last modified on 01 December, 2021
Troubleshoot missing notable events in Splunk Enterprise Security   Log files in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters