https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316277#M4345 <P>Thanks for your help !! splunkd_stderr.log shows following message. </P> <P>2017-02-23 16:44:04.148 +0100 splunkd started (build 59c8927def0f) For startup<BR /> 2017-02-23 16:44:25.885 +0100 Interrupt signal received - for stop</P> <P>but audit.log worked perfect for me as we are already monitoring audit.log<BR /> audit.log<BR /> action=splunkShuttingDown<BR /> action=splunkStarting</P> <P>Thanks<BR /> Ankit</P> Thu, 23 Feb 2017 16:24:49 GMT AKG1_old1 2017-02-23T16:24:49Z https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316274#M4342 <P>Hi,</P> <P>I want to keep track of splunk startup and stop. </P> <P>I have checked splunkd.log file but its not clearly specifying started/stopped sucessfully. Even when we start/stop Splunk using command line. It shows message like below on screen. Not sure if same information is stored in some file.</P> <P>Starting splunk server daemon (splunkd)...<BR /> Done<BR /> [ OK ]</P> <P>Stopping splunk helpers...<BR /> [ OK ]<BR /> Done.</P> <P>Question:<BR /> Is there any logs which specify that splunk started /stopped successfully ?</P> <P>Thanks<BR /> Ankit</P> Thu, 23 Feb 2017 14:54:32 GMT https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316274#M4342 AKG1_old1 2017-02-23T14:54:32Z https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316275#M4343 <P>It should be in <CODE>splunkd_stderr.log</CODE></P> <P><CODE>$SPLUNK_HOME/var/log/splunk</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/WhatSplunklogsaboutitself">http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/WhatSplunklogsaboutitself</A></P> Thu, 23 Feb 2017 15:10:47 GMT https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316275#M4343 skoelpin 2017-02-23T15:10:47Z https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316276#M4344 <P>I doubt stdout for restarts is stored directly but there is similar stuff inside <CODE>$SPLUNK_HOME/var/log/splunk/splunkd.log</CODE> and also <CODE>mongod.log</CODE>; look for "stop*", "clos*", "shut*", and "flush*". If you are looking something else, check out <CODE>audit.log</CODE>; I am sure there is a clear "splunk was shut down" and "splunk was started" event there. You can try a search like this:</P> <PRE><CODE>index=_* stop* OR start* OR clos* OR shut OR flush* </CODE></PRE> <P>And then look at the <CODE>Patterns</CODE> tab to clump events.</P> Tue, 29 Sep 2020 13:00:57 GMT https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316276#M4344 woodcock 2020-09-29T13:00:57Z https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316277#M4345 <P>Thanks for your help !! splunkd_stderr.log shows following message. </P> <P>2017-02-23 16:44:04.148 +0100 splunkd started (build 59c8927def0f) For startup<BR /> 2017-02-23 16:44:25.885 +0100 Interrupt signal received - for stop</P> <P>but audit.log worked perfect for me as we are already monitoring audit.log<BR /> audit.log<BR /> action=splunkShuttingDown<BR /> action=splunkStarting</P> <P>Thanks<BR /> Ankit</P> Thu, 23 Feb 2017 16:24:49 GMT https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316277#M4345 AKG1_old1 2017-02-23T16:24:49Z https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316278#M4346 <P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>audit.log worked perfect for me as we are already monitoring audit.log</P> <P>action=splunkShuttingDown<BR /> action=splunkStarting</P> Thu, 23 Feb 2017 16:25:49 GMT https://community.splunk.com/t5/Splunk-Dev/where-does-splunk-store-the-logs-which-specify-starting-stoping/m-p/316278#M4346 AKG1_old1 2017-02-23T16:25:49Z