About access logs
Splunkd and splunkweb both produce access logs in a format similar to common Apache webserver access log formats.
splunkd_access.log, and splunkweb records logs in
web_access.log. Both log files are close approximations of the Apache combined log format.
Apache formats are described briefly in the Apache HTTP Server documentation. For example, see Apache 2.4 log file documentation.
This file records HTTP requests served by splunkd on its management port. Here is a typical line in
127.0.0.1 - - [21/Oct/2014:13:50:25.662 -0700] "GET /services/server/info?output_mode=json HTTP/1.1" 200 1566 - - - 1ms
These fields are
<address> - <user> [<time>] "<request>" <status> <response_size> - - - <duration>
address: The IP address from which the HTTP client socket appears to originate. Typically these requests originate from splunkweb and come over the localhost/loopback address.
- The second field is a placeholder for the unused
user: The splunk user, if any, making the request. System accesses on behalf of no particular user appear as "-".
timestamp: This is the time that splunkd finished reading in the request. However, the log event is written out when the http server finishes writing the response, so these timestamps can be out of order.
request: The HTTP request made by the client consisting of an action, a URL, and a protocol version.
status: The HTTP status returned as part of the response.
response_size: The size of the body of the response in bytes
- Three additional placeholders.
duration: The time it took from the completion of reading the request to completely writing out the response. This value is logged explicitly in milliseconds.
Between the definitions for timestamp and duration, you can infer the response completion time by adding duration to the timestamp.
A web access line is similar:
127.0.0.1 - admin [21/Oct/2014:14:05:05.044 -0700] "GET /en-US/api/message/index HTTP/1.1" 200 341 "http://mcp.sv.splunk.com:62100/en-US/manager/search/saved/searches" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:32.0) Gecko/20100101 Firefox/32.0" - 5446ca810b7fb1d8551110 11ms
Here the format is:
<address> - <user> [<time>] "<request>" <status> <response_size> "<referer>" "<user agent>" - <session_id> <duration>
duration are the same as in
splunkd_access.log. The new components here are:
referer: referer [sic] is the URL that the client told us provided the link to the URL that was accessed.
user agent: The string the http client used to identify itself.
session_id: This represents the splunkweb session. Can be used to follow a stream of requests from a particular client. These sessions are transient starting in Splunk Enterprise 6.2.0.
Starting in Splunk Enterprise 6.2.0, splunkd handles requests from the browser that splunkweb handled pre-6.2.0. This file records HTTP requests served by splunkd on the Splunk Web port. The format is identical to
Troubleshoot inputs with metrics.log
About Splunk Enterprise platform instrumentation
This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!