Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where the logs for runtime search errors and search response times are stored?

mngeow
Engager
‎05-18-2017 08:06 PM

Hi,

I am still relatively new to Splunk. I'm trying to analyze the splunk internal logs. I am currently trying to find the logs for the following:

  1. Runtime Search Errors
  2. Search Response Time

For runtime search errors, I really have no idea where the logs are stored.

I do have some idea on where the search response times can be found. I have looked in the splunk_access and splunk_web_access and found the response times. But I am not sure of the difference between the two.

I am also trying to understand the syntax of the logs as well, would be helpful if you could shed some light on that as well.

Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎05-19-2017 05:11 AM

http://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/AboutAccessLogs

it looks like the duration for both the splunk_web_access and splunkd_access logs are the same, but web_access offers new components starting in 6.2.0.

you can look through the _audit and _internal indexes for user search history. I use the _internal index to look if scheduled searches had errors, if that helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎05-19-2017 05:11 AM

http://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/AboutAccessLogs

it looks like the duration for both the splunk_web_access and splunkd_access logs are the same, but web_access offers new components starting in 6.2.0.

you can look through the _audit and _internal indexes for user search history. I use the _internal index to look if scheduled searches had errors, if that helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...