Splunk® Enterprise

Troubleshooting Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Enable debug logging

The Splunk platform internal logging levels are DEBUG INFO WARN ERROR FATAL (from most to least verbose). This topic gives a few popular options for how you might want to put Splunk into debug mode.

Be warned, Splunk software debug mode is extremely verbose. All the extra chatter might obscure something that might have helped you diagnose your problem. Running Splunk software in debug mode for an extended time makes your internal log files unwieldy. Running debug mode is not recommended on production systems.

Enable debug logging on all of splunkd.log

Splunk software has a debugging parameter (--debug) that you can use when starting Splunk software from the CLI in *nix. This command outputs logs to $SPLUNK_HOME/var/log/splunk/splunkd.log. To enable debug logging from the command line:

  • Navigate to $SPLUNK_HOME/bin.
  • Stop Splunk, if it is running.
  • Save your existing splunkd.log file by moving it to a new filename, like splunkd.log.old.
  • Restart Splunk in debug mode with splunk start --debug.
  • When you notice the problem, stop Splunk.
  • Move the new splunkd.log file elsewhere and restore your old one.
  • Stop or restart Splunk normally (without the --debug flag) to disable debug logging.

Specific areas can be enabled to collect debugging details over a longer period with minimal performance impact. See the category settings in the file $SPLUNK_HOME/etc/log.cfg to set specific log levels without enabling a large number of categories as with --debug. Restart Splunk after changing this file.

Important: Changes to $SPLUNK_HOME/etc/log.cfg are overwritten if you upgrade your version of Splunk software.

Note: Not all messages marked WARN or ERROR indicate actual problems with Splunk software; some indicate that a feature is not being used.

Note also that this option is not available on Windows. To enable debugging on Splunk software running on Windows, enable debugging on a specific processor in Splunk Web or using log.cfg.

Enable debug logging for a specific processor within splunkd.log

In Splunk Web

You can enable these DEBUG settings via Splunk Web if you have admin privileges. Navigate to Settings > Server settings > Server logging. Search for the processor names using the text box. Click on the processor name to change the logging level to DEBUG. You do not need to restart Splunk. In fact, these changes will not persist if you restart the Splunk instance.

In log.cfg

If you want the processors to be in DEBUG on startup, or if you want to turn on debugging for a few processors or for a lightweight forwarder (with no Splunk Web), create or edit a $SPLUNK_HOME/etc/log-local.cfg file to override changes in $SPLUNK_HOME/etc/log.cfg.

In $SPLUNK_HOME/etc/log.cfg, find the category.* entry that relates to the processor you are interested in, and copy the line to log-local.cfg with INFO or WARN modified to DEBUG. There will not always be an existing entry for the processor you are interested in, and it may take some digging through the logs or documentation to find the correct one.

For example, to see how often Splunk software is updating or retrieving progress-tracking records fora particular file, put 'FileInputTracker' in DEBUG. Update the existing entry to read 

category.FileInputTracker=DEBUG

Or for investigating problems monitoring files, use the FileInputTracker and selectProcessor categories.

Restart the Splunk platform. Now every time Splunk software checks the inputs file, it will be recorded in $SPLUNK_HOME/var/log/splunk/splunkd.log. Remember to change these settings back when you are finished investigating.

If a default level is not specified for a category, the logging level defaults to your rootCategory setting.

Note: Leave category.loader at INFO. This is what gives us our build and system info.

To change the maximum size of a log file before it rolls, change the maxFileSize value (in bytes) for the desired file: 

appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.maxFileSize=25000000
appender.A1.maxBackupIndex=5
appender.A1.layout=PatternLayout
appender.A1.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l} %-5p %c - %m%n

About precedence

If you have duplicate lines in log.cfg, the last line takes precedence. For example, 

category.databasePartitionPolicy=INFO
category.databasePartitionPolicy=DEBUG

will give you DEBUG, but in the other order it will not.

The other log-*.cfg files behave similarly when you add categories. To set only some things in a search.log into debug mode, in log-searchprocess.cfg add a new category line after the rootCategory: 

rootCategory=INFO,searchprocessAppender
category.<foo>=DEBUG
appender.searchprocessAppender=RollingFileAppender

This leaves everything else as it was, which means only the debug messages you want are generated. Putting rootCategory into DEBUG mode makes the dispatch directories huge, so it is not a good choice for long-running debug.

log-local.cfg

You can put log.cfg settings into a local file, log-local.cfg file, residing in the same directory as log.cfg. The settings in log-local.cfg take precedence. And unlike log.cfg, the log-local.cfg file doesn't get overwritten on upgrade.

With endpoints

You can access a debugging endpoint that shows status information about monitored files: 

https://your-splunk-server:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Enable debug messages from the CLI

./splunk _internal call /services/server/logger/TailingProcessor -post:level DEBUG

Note: This search returns the message "HTTP Status: 200". This is not an error and is normal.


You can also enable debugging with this command: 

./splunk set log-level TailingProcessor -level DEBUG

Enable debug logging for search processes

Search processes obey the etc/log-searchprocess.cfg rules. Similar to splunkd, they can be overridden in etc/log-searchprocess-local.cfg.

All loggers can be set to DEBUG by adding a line such as 

rootCategory=DEBUG,searchprocessAppender

Specific loggers can be set to debug as well, for example: 

category.UnifiedSearch=DEBUG
category.IndexScopedSearch=DEBUG

This change takes effect immediately for all searches started after the change.

Debug Splunk Web

Change the logging level for the splunkweb process by editing the file: 

$SPLUNK_HOME/etc/log.cfg

or if you have created your own 

$SPLUNK_HOME/etc/log-local.cfg

Locate the [python] stanza and change the contents to: 

[python]
splunk = DEBUG
# other lines should be removed

The logging component names are hierarchical so setting the top level splunk component will affect all loggers unless a more specific setting is provided, like splunk.search = INFO.

Restart the splunkweb process with the command ./splunk restart splunkweb. The additional messages are output in the file $SPLUNK_HOME/var/log/splunk/web_service.log.

Last modified on 10 November, 2021
What Splunk software logs about itself   About metrics.log

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters