Archive

where does splunk store the logs which specify starting/stoping the splunk ?

Builder

Hi,

I want to keep track of splunk startup and stop.

I have checked splunkd.log file but its not clearly specifying started/stopped sucessfully. Even when we start/stop Splunk using command line. It shows message like below on screen. Not sure if same information is stored in some file.

Starting splunk server daemon (splunkd)...
Done
[ OK ]

Stopping splunk helpers...
[ OK ]
Done.

Question:
Is there any logs which specify that splunk started /stopped successfully ?

Thanks
Ankit

Tags (1)
1 Solution

Esteemed Legend

I doubt stdout for restarts is stored directly but there is similar stuff inside $SPLUNK_HOME/var/log/splunk/splunkd.log and also mongod.log; look for "stop*", "clos*", "shut*", and "flush*". If you are looking something else, check out audit.log; I am sure there is a clear "splunk was shut down" and "splunk was started" event there. You can try a search like this:

index=_* stop* OR start* OR clos* OR shut OR flush*

And then look at the Patterns tab to clump events.

View solution in original post

Esteemed Legend

I doubt stdout for restarts is stored directly but there is similar stuff inside $SPLUNK_HOME/var/log/splunk/splunkd.log and also mongod.log; look for "stop*", "clos*", "shut*", and "flush*". If you are looking something else, check out audit.log; I am sure there is a clear "splunk was shut down" and "splunk was started" event there. You can try a search like this:

index=_* stop* OR start* OR clos* OR shut OR flush*

And then look at the Patterns tab to clump events.

View solution in original post

Builder

Thank you 🙂

audit.log worked perfect for me as we are already monitoring audit.log

action=splunkShuttingDown
action=splunkStarting

SplunkTrust
SplunkTrust

It should be in splunkd_stderr.log

$SPLUNK_HOME/var/log/splunk

http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/WhatSplunklogsaboutitself

0 Karma

Builder

Thanks for your help !! splunkd_stderr.log shows following message.

2017-02-23 16:44:04.148 +0100 splunkd started (build 59c8927def0f) For startup
2017-02-23 16:44:25.885 +0100 Interrupt signal received - for stop

but audit.log worked perfect for me as we are already monitoring audit.log
audit.log
action=splunkShuttingDown
action=splunkStarting

Thanks
Ankit