Splunk Cloud Platform

Developing Views and Apps for Splunk Web

Set up logging

Well-behaved scripts send logging data to splunkd.log. This logging data is useful for tracking and troubleshooting.

About logging

Any data you write to stderr is written to splunkd.log. You can specify a log level when writing to stderr. If unspecified, the log level defaults to ERROR. The following example shows how to write INFO and ERROR logging entries:

INFO Connecting to the endpoint
ERROR Unable to connect to the endpoint

Here are the recognized log levels from lowest to highest severity.

  • DEBUG
  • INFO
  • WARN
  • ERROR
  • FATAL

Log entries are written to splunkd.log based on the log level. By default, entries with a log level of INFO or higher are written to splunkd.log. To modify the default behavior, in Splunk Web navigate to Settings > Server settings > Server logging. Then navigate to the ExecProcessor log channel. Select ExecProcessor to make any changes.

Alternatively, you can navigate to the following file.

$SPLUNK_HOME/etc/log.cfg

In log.cfg, set the logging level for modular inputs by editing the log level in the following line.

category.ExecProcessor=INFO

For more information on logging, refer to What Splunk logs about itself in the Troubleshooting Manual.

Note: You must have Splunk Enterprise admin privileges to change logging behavior.

Example: Setting up standard Splunk logging

The following snippet from a script shows how to set up standard Splunk logging.

Standard Splunk logging snippets

. . .
import logging
. . .
# set up logging suitable for splunkd consumption
logging.root
logging.root.setLevel(logging.DEBUG)
formatter = logging.Formatter('%(levelname)s %(message)s')
handler = logging.StreamHandler(stream=sys.stderr)
handler.setFormatter(formatter)
logging.root.addHandler(handler)
. . .
# add various logging statements
# for example:
#
# logging.info("URL %s already processed.  Skipping.")
#
#     if item_node:
#      logging.debug("XML: found item")
#
# etc.
Last modified on 24 August, 2018
Create modular inputs   Data checkpoints

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters