How to catch ERROR events in search processes



Is it possible to create a search, that finds all "ERROR" messages in search.log for all search jobs?
I tried to search it in _internal - but not found.

Tags (2)
0 Karma

Re: How to catch ERROR events in search processes

Splunk Employee
Splunk Employee

Hi lukasz92,

The short answer is No. search.log files are not stored under $SPLUNKHOME/var/log/splunk/ but are written to SPLUNKHOME/var/run/splunk/dispatch// .
Scheduled jobs (scheduled saved searches) include the saved search name as part of the directory name.

Search jobs manifest as a process in the OS. There are two processes in Linux for each search job: search-launcher and process-runner. You can isolate all the Splunk search processes with: ps -ef | grep search. The main job is the one using system resources and contains search --id in its name.

Hope this helps. Thanks!

View solution in original post

0 Karma