Splunk® Enterprise

Troubleshooting Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

About access logs

The Splunk Enterprise splunkd process produces splunkd_access.log and web_access.log. Both logs are very similar to the Apache combined log format.

Apache formats are described briefly in the Apache HTTP Server documentation. For example, see Apache 2.4 log file documentation.

splunkd_access.log

This file records HTTP requests served by splunkd on its management port. Below is a typical line in splunkd_access.log:

127.0.0.1 - - [21/Oct/2014:13:50:25.662 -0700] "GET /services/server/info?output_mode=json HTTP/1.1" 200 1566 "-" "Python-httplib2/0.13.1 (gzip)" - 1ms

The event fields are:

<address> - <user> [<time>] "<request>" <status> <response_size> "-" "<useragent>" - <duration>
  • address: The IP address from which the HTTP client socket appears to originate. Typically these requests originate from splunkweb and come over the localhost/loopback address.
  • The second field is a placeholder for the unused identd field.
  • user: The user, if any, making the request. System accesses on behalf of no particular user appear as "-".
  • timestamp: The time that splunkd finished reading in the request. However, the log event is written out when the http server finishes writing the response. As a result, the event timestamps can appear out of order.
  • request: The HTTP request made by the client consisting of an action, a URL, and a protocol version.
  • status: The HTTP status returned as part of the response.
  • response_size: The size of the body of the response in bytes
  • user agent: The string the http client used to identify itself.
  • duration: The time in milliseconds from the completion of reading the request to completely writing out the response. To calculate the response completion time, add the duration to the timestamp.

web_access.log

A web_access.log event is similar to a splunkd_access.log event. Below is a typical line in web_access.log:

127.0.0.1 - admin [21/Oct/2014:14:05:05.044 -0700] "GET /en-US/api/message/index HTTP/1.1" 200 341 "http://mcp.sv.splunk.com:62100/en-US/manager/search/saved/searches" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:32.0) Gecko/20100101 Firefox/32.0" - 5446ca810b7fb1d8551110 11ms

The event fields are:

<address> - <user> [<time>] "<request>" <status> <response_size> "<referer>" "<user agent>" - <session_id> <duration>

The web_access.log unique fields are:

  • referer: the prior URL location of the client before accessing the current URL.
  • session_id: This represents the splunkweb session. Can be used to follow a stream of requests from a particular client. These sessions are transient starting in Splunk Enterprise 6.2.0.

All other fields are identical to the splunkd_access.log.

splunkd_ui_access.log

Starting in Splunk Enterprise 6.2.0, splunkd handles requests from the browser that splunkweb handled pre-6.2.0. This file records HTTP requests served by splunkd on the Splunk Web port. The format is identical to the web_access.log.

Last modified on 16 September, 2020
Troubleshoot inputs with metrics.log   About Splunk Enterprise platform instrumentation

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters