Enable debug logging
The Splunk platform internal logging levels are DEBUG INFO WARN ERROR FATAL
(from most to least verbose). This topic gives a few popular options for how you might want to put Splunk into debug mode.
Be warned, Splunk software debug mode is extremely verbose. All the extra chatter might obscure something that might have helped you diagnose your problem. Running Splunk software in debug mode for an extended time makes your internal log files unwieldy. Running debug mode is not recommended on production systems.
Enable debug logging on all of splunkd.log
Splunk software has a debugging parameter (--debug
) that you can use when starting Splunk software from the CLI in *nix. This command outputs logs to $SPLUNK_HOME/var/log/splunk/splunkd.log
. To enable debug logging from the command line:
- Navigate to
$SPLUNK_HOME/bin
. - Stop Splunk, if it is running.
- Save your existing
splunkd.log
file by moving it to a new filename, likesplunkd.log.old
. - Restart Splunk in debug mode with
splunk start --debug
. - When you notice the problem, stop Splunk.
- Move the new
splunkd.log
file elsewhere and restore your old one. - Stop or restart Splunk normally (without the --debug flag) to disable debug logging.
Specific areas can be enabled to collect debugging details over a longer period with minimal performance impact. See the category settings in the file $SPLUNK_HOME/etc/log.cfg
to set specific log levels without enabling a large number of categories as with --debug. Restart Splunk after changing this file.
Important: Changes to $SPLUNK_HOME/etc/log.cfg
are overwritten if you upgrade your version of Splunk software.
Note: Not all messages marked WARN or ERROR indicate actual problems with Splunk software; some indicate that a feature is not being used.
Note also that this option is not available on Windows. To enable debugging on Splunk software running on Windows, enable debugging on a specific processor in Splunk Web or using log.cfg.
Enable debug logging for a specific processor within splunkd.log
In Splunk Web
You can enable these DEBUG settings via Splunk Web if you have admin privileges. Navigate to Settings > Server settings > Server logging. Search for the processor names using the text box. Click on the processor name to change the logging level to DEBUG. You do not need to restart Splunk. In fact, these changes will not persist if you restart the Splunk instance.
In log.cfg
If you want the processors to be in DEBUG on startup, or if you want to turn on debugging for a few processors or for a lightweight forwarder (with no Splunk Web), create or edit a $SPLUNK_HOME/etc/log-local.cfg
file to override changes in $SPLUNK_HOME/etc/log.cfg
.
In $SPLUNK_HOME/etc/log.cfg, find the category.* entry that relates to the processor you are interested in, and copy the line to log-local.cfg with INFO or WARN modified to DEBUG. There will not always be an existing entry for the processor you are interested in, and it may take some digging through the logs or documentation to find the correct one.
For example, to see how often Splunk software is updating or retrieving progress-tracking records fora particular file, put 'FileInputTracker' in DEBUG. Update the existing entry to read
category.FileInputTracker=DEBUG
Or for investigating problems monitoring files, use the FileInputTracker and selectProcessor categories.
Restart the Splunk platform. Now every time Splunk software checks the inputs file, it will be recorded in $SPLUNK_HOME/var/log/splunk/splunkd.log. Remember to change these settings back when you are finished investigating.
If a default level is not specified for a category, the logging level defaults to your rootCategory setting.
Note: Leave category.loader at INFO. This is what gives us our build and system info.
To change the maximum size of a log file before it rolls, change the maxFileSize
value (in bytes) for the desired file:
appender.A1=RollingFileAppender appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log appender.A1.maxFileSize=25000000 appender.A1.maxBackupIndex=5 appender.A1.layout=PatternLayout appender.A1.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l} %-5p %c - %m%n
About precedence
If you have duplicate lines in log.cfg, the last line takes precedence. For example,
category.databasePartitionPolicy=INFO category.databasePartitionPolicy=DEBUG
will give you DEBUG, but in the other order it will not.
The other log-*.cfg files behave similarly when you add categories. To set only some things in a search.log into debug mode, in log-searchprocess.cfg add a new category line after the rootCategory:
rootCategory=INFO,searchprocessAppender category.<foo>=DEBUG appender.searchprocessAppender=RollingFileAppender
This leaves everything else as it was, which means only the debug messages you want are generated. Putting rootCategory into DEBUG mode makes the dispatch directories huge, so it is not a good choice for long-running debug.
log-local.cfg
You can put log.cfg
settings into a local file, log-local.cfg
file, residing in the same directory as log.cfg
. The settings in log-local.cfg
take precedence. And unlike log.cfg
, the log-local.cfg
file doesn't get overwritten on upgrade.
With endpoints
You can access a debugging endpoint that shows status information about monitored files:
https://your-splunk-server:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Enable debug messages from the CLI
./splunk _internal call /services/server/logger/TailingProcessor -post:level DEBUG
Note: This search returns the message "HTTP Status: 200". This is not an error and is normal.
You can also enable debugging with this command:
./splunk set log-level TailingProcessor -level DEBUG
Enable debug logging for search processes
Search processes obey the etc/log-searchprocess.cfg rules. Similar to splunkd, they can be overridden in etc/log-searchprocess-local.cfg.
All loggers can be set to DEBUG by adding a line such as
rootCategory=DEBUG,searchprocessAppender
Specific loggers can be set to debug as well, for example:
category.UnifiedSearch=DEBUG category.IndexScopedSearch=DEBUG
This change takes effect immediately for all searches started after the change.
Debug Splunk Web
Change the logging level for the splunkweb process by editing the file:
$SPLUNK_HOME/etc/log.cfg
or if you have created your own
$SPLUNK_HOME/etc/log-local.cfg
Locate the [python]
stanza and change the contents to:
[python] splunk = DEBUG # other lines should be removed
The logging component names are hierarchical so setting the top level splunk
component will affect all loggers unless a more specific setting is provided, like splunk.search = INFO
.
Restart the splunkweb process with the command ./splunk restart splunkweb
. The additional messages are output in the file $SPLUNK_HOME/var/log/splunk/web_service.log
.
What Splunk software logs about itself | About metrics.log |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9
Feedback submitted, thanks!