https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126196#M3828 <P>Cool thanks somesoni2!</P> Thu, 02 Apr 2015 20:31:26 GMT crodri210 2015-04-02T20:31:26Z https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126193#M3825 <P>How do you search for banner messages that appear on the Splunk Web Interface. I'm looking for error messages like "Unable to distribute to peer name XXXXX at uri xx.xx.xx.xxx:xxx because peer status = "Down"</P> <P>I tried running index=_internal source="*web_service.log" raise from a previous post (<A href="http://answers.splunk.com/answers/81552/how-to-search-for-all-banner-messages.html" target="_blank">http://answers.splunk.com/answers/81552/how-to-search-for-all-banner-messages.html</A>), but this doesn't give me the information that I'm looking for. </P> Mon, 28 Sep 2020 19:24:40 GMT https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126193#M3825 crodri210 2020-09-28T19:24:40Z https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126194#M3826 <P>I think I got it. I just ran the following search and it gave me the information I was looking for</P> <P>index=_internal "Unable to distribute"</P> Thu, 02 Apr 2015 20:10:19 GMT https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126194#M3826 crodri210 2015-04-02T20:10:19Z https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126195#M3827 <P>I guess All the error/warning messages from Splunk Web UI are stored as Splunk's internal error. May like this will give you all the errors/warnings. Of course, you can search for specific warnings.</P> <PRE><CODE>index=_internal sourcetype=splunkd log_level="WARN" OR log_level="ERROR" </CODE></PRE> Thu, 02 Apr 2015 20:27:34 GMT https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126195#M3827 somesoni2 2015-04-02T20:27:34Z https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126196#M3828 <P>Cool thanks somesoni2!</P> Thu, 02 Apr 2015 20:31:26 GMT https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126196#M3828 crodri210 2015-04-02T20:31:26Z https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126197#M3829 <P>Hi,<BR /> The answer of somesoni2 is good but i just want to extend his answer. Because there many values of field "log_level" use this query:<BR /> index=_internal sourcetype=splunkd log_level=*</P> Mon, 28 Sep 2020 19:23:05 GMT https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126197#M3829 NOUMSSI 2020-09-28T19:23:05Z https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126198#M3830 <P>I found this which closely matches your question.</P> <PRE><CODE> | rest /services/messages | table title message severity timeCreated_iso published splunk_server author </CODE></PRE> <P>I then created an alert from this..</P> Fri, 10 Apr 2015 16:08:47 GMT https://community.splunk.com/t5/Security/How-to-search-the-internal-index-for-banner-error-messages-that/m-p/126198#M3830 rdowd 2015-04-10T16:08:47Z