Splunk® Enterprise

Troubleshooting Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

About access logs

Splunkd and splunkweb both produce access logs in a format similar to common Apache webserver access log formats.

Splunkd produces splunkd_access.log, and splunkweb records logs in web_access.log. Both log files are close approximations of the Apache combined log format.

Apache formats are described briefly in the Apache HTTP Server documentation. For example, see Apache 2.4 log file documentation.

splunkd_access.log

This file records HTTP requests served by splunkd on its management port. Here is a typical line in splunkd_access.log:

127.0.0.1 - - [21/Oct/2014:13:50:25.662 -0700] "GET /services/server/info?output_mode=json HTTP/1.1" 200 1566 - - - 1ms

These fields are

<address> - <user> [<time>] "<request>" <status> <response_size> - - - <duration>
  • address: The IP address from which the HTTP client socket appears to originate. Typically these requests originate from splunkweb and come over the localhost/loopback address.
  • The second field is a placeholder for the unused identd field.
  • user: The splunk user, if any, making the request. System accesses on behalf of no particular user appear as "-".
  • timestamp: This is the time that splunkd finished reading in the request. However, the log event is written out when the http server finishes writing the response, so these timestamps can be out of order.
  • request: The HTTP request made by the client consisting of an action, a URL, and a protocol version.
  • status: The HTTP status returned as part of the response.
  • response_size: The size of the body of the response in bytes
  • Three additional placeholders.
  • duration: The time it took from the completion of reading the request to completely writing out the response. This value is logged explicitly in milliseconds.

Between the definitions for timestamp and duration, you can infer the response completion time by adding duration to the timestamp.

web_access.log

A web access line is similar:

127.0.0.1 - admin [21/Oct/2014:14:05:05.044 -0700] "GET /en-US/api/message/index HTTP/1.1" 200 341 "http://mcp.sv.splunk.com:62100/en-US/manager/search/saved/searches" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:32.0) Gecko/20100101 Firefox/32.0" - 5446ca810b7fb1d8551110 11ms

Here the format is:

<address> - <user> [<time>] "<request>" <status> <response_size> "<referer>" "<user agent>" - <session_id> <duration>

where address, user, time, request, status, response_size, and duration are the same as in splunkd_access.log. The new components here are:

  • referer: referer [sic] is the URL that the client told us provided the link to the URL that was accessed.
  • user agent: The string the http client used to identify itself.
  • session_id: This represents the splunkweb session. Can be used to follow a stream of requests from a particular client. These sessions are transient starting in Splunk Enterprise 6.2.0.

splunkd_ui_access.log

Starting in Splunk Enterprise 6.2.0, splunkd handles requests from the browser that splunkweb handled pre-6.2.0. This file records HTTP requests served by splunkd on the Splunk Web port. The format is identical to web_access.log.

Last modified on 16 September, 2020
Troubleshoot inputs with metrics.log   About Splunk Enterprise platform instrumentation

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters