https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236842#M70365 <P>Every search has its directory with its own search.log file in splunkhome/var/lib/dispatch/run<BR /> However, this exists only for the lifetime of the search, which is typically 10 minutes. It contains many details about how the search was run, how many events were retrieved and how much time was spent in each step.</P> <P>Every search is also logged in audit.log. The easiest way to view the audit log is to use Splunk itself. The audit log is part of <CODE>index=_audit</CODE>; the other internal logs are in <CODE>index=_internal</CODE></P> <P>You probably want to take a look at the documentation: <A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/WhatSplunklogsaboutitself">What Splunk software logs about itself</A> <BR /> It has a good explanation of the logs and what is in each.</P> Wed, 23 Nov 2016 16:12:36 GMT lguinn2 2016-11-23T16:12:36Z https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236841#M70364 <P>When we make searches in Splunk, under which log file do these searches get logged?</P> <P>Example: we need the original place the search below is logged.</P> <PRE><CODE>/splunkhome/bin/splunk dispatch "*" -auth uname:passwd </CODE></PRE> Wed, 23 Nov 2016 14:05:58 GMT https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236841#M70364 newbietosplunk 2016-11-23T14:05:58Z https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236842#M70365 <P>Every search has its directory with its own search.log file in splunkhome/var/lib/dispatch/run<BR /> However, this exists only for the lifetime of the search, which is typically 10 minutes. It contains many details about how the search was run, how many events were retrieved and how much time was spent in each step.</P> <P>Every search is also logged in audit.log. The easiest way to view the audit log is to use Splunk itself. The audit log is part of <CODE>index=_audit</CODE>; the other internal logs are in <CODE>index=_internal</CODE></P> <P>You probably want to take a look at the documentation: <A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/WhatSplunklogsaboutitself">What Splunk software logs about itself</A> <BR /> It has a good explanation of the logs and what is in each.</P> Wed, 23 Nov 2016 16:12:36 GMT https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236842#M70365 lguinn2 2016-11-23T16:12:36Z https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236843#M70366 <P>Oh - and don't forget the Search Job Inspector! Whenever you run a search, you can access the inspector from the UI. It shows a nice summary with graphics of what is contained in the search log. There is also documentation here: <A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Search/ViewsearchjobpropertieswiththeJobInspector">View search job properties</A></P> Wed, 30 Nov 2016 07:00:06 GMT https://community.splunk.com/t5/Splunk-Search/Where-do-searches-get-logged-in-Splunk/m-p/236843#M70366 lguinn2 2016-11-30T07:00:06Z