About access logs
The Splunk Enterprise splunkd process produces splunkd_access.log and web_access.log. Both logs are very similar to the Apache combined log format.
Apache formats are described briefly in the Apache HTTP Server documentation. For example, see Apache 2.4 log file documentation.
This file records HTTP requests served by splunkd on its management port. Below is a typical line in splunkd_access.log:
127.0.0.1 - - [21/Oct/2014:13:50:25.662 -0700] "GET /services/server/info?output_mode=json HTTP/1.1" 200 1566 "-" "Python-httplib2/0.13.1 (gzip)" - 1ms
The event fields are:
<address> - <user> [<time>] "<request>" <status> <response_size> "-" "<useragent>" - <duration>
address: The IP address from which the HTTP client socket appears to originate. Typically these requests originate from splunkweb and come over the localhost/loopback address.
- The second field is a placeholder for the unused
user: The user, if any, making the request. System accesses on behalf of no particular user appear as "-".
timestamp: The time that splunkd finished reading in the request. However, the log event is written out when the http server finishes writing the response. As a result, the event timestamps can appear out of order.
request: The HTTP request made by the client consisting of an action, a URL, and a protocol version.
status: The HTTP status returned as part of the response.
response_size: The size of the body of the response in bytes
user agent: The string the http client used to identify itself.
duration: The time in milliseconds from the completion of reading the request to completely writing out the response. To calculate the response completion time, add the duration to the timestamp.
A web_access.log event is similar to a splunkd_access.log event. Below is a typical line in web_access.log:
127.0.0.1 - admin [21/Oct/2014:14:05:05.044 -0700] "GET /en-US/api/message/index HTTP/1.1" 200 341 "http://mcp.sv.splunk.com:62100/en-US/manager/search/saved/searches" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:32.0) Gecko/20100101 Firefox/32.0" - 5446ca810b7fb1d8551110 11ms
The event fields are:
<address> - <user> [<time>] "<request>" <status> <response_size> "<referer>" "<user agent>" - <session_id> <duration>
The web_access.log unique fields are:
referer: the prior URL location of the client before accessing the current URL.
session_id: This represents the splunkweb session. Can be used to follow a stream of requests from a particular client. These sessions are transient starting in Splunk Enterprise 6.2.0.
All other fields are identical to the
Starting in Splunk Enterprise 6.2.0, splunkd handles requests from the browser that splunkweb handled pre-6.2.0. This file records HTTP requests served by splunkd on the Splunk Web port. The format is identical to the web_access.log.
Troubleshoot inputs with metrics.log
About Splunk Enterprise platform instrumentation
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!