I want to keep track of splunk startup and stop.
I have checked splunkd.log file but its not clearly specifying started/stopped sucessfully. Even when we start/stop Splunk using command line. It shows message like below on screen. Not sure if same information is stored in some file.
Starting splunk server daemon (splunkd)...
[ OK ]
Stopping splunk helpers...
[ OK ]
Is there any logs which specify that splunk started /stopped successfully ?
Thanks for your help !! splunkd_stderr.log shows following message.
2017-02-23 16:44:04.148 +0100 splunkd started (build 59c8927def0f) For startup
2017-02-23 16:44:25.885 +0100 Interrupt signal received - for stop
but audit.log worked perfect for me as we are already monitoring audit.log
I doubt stdout for restarts is stored directly but there is similar stuff inside
$SPLUNK_HOME/var/log/splunk/splunkd.log and also
mongod.log; look for "stop", "clos", "shut", and "flush". If you are looking something else, check out
audit.log; I am sure there is a clear "splunk was shut down" and "splunk was started" event there. You can try a search like this:
index=_* stop* OR start* OR clos* OR shut OR flush*
And then look at the
Patterns tab to clump events.
Thank you 🙂
audit.log worked perfect for me as we are already monitoring audit.log