Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you enable debug logging for scripted input

kbecker
Communicator
‎02-12-2012 09:46 AM

I am trying to debug a scripted input that isn't running when it should and I want to enable debug logging. When I look at log.cfg there are about 40 settings under splunkd, which one(s) needs to be changed enable this logging? On a side note I stopped splunk and started with the debug flag (service start splunk --debug), but this didn't seem to do anything.

Universal Forwarder
4.2.2
Build 101277

Thanks for any assistance...

Tags (1)
Reply

wrangler2x
Motivator
‎03-22-2017 01:42 PM

Have a look at https://answers.splunk.com/answers/9917/how-to-debug-scripts-execution.html

Besides setting it through System settings » System logging » ExecProcessor, you can also turn this on at the command line thusly:

Turn debug on:

    `$ splunk set log-level ExecProcessor -level DEBUG`

Set it back:

    `$ splunk set log-level ExecProcessor -level INFO`

See what it is set to:

    `$ splunk show log-level ExecProcessor`

I can use the splunk command at the command line anywhere because I have this in my .bashrc:

    alias splunk=/opt/splunk/bin/splunk
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-12-2012 10:35 AM

This is relevant in terms of setting the actual debug setting -- http://splunk-base.splunk.com/answers/33942/how-can-i-change-the-debug-level-on-a-universal-forwarde...

Some of the logging objects that would seem to be relevant (simply based on scanning them by name) would be:

/server/logger/ScriptRunner
/server/logger/script
/server/logger/SchedulerLauncherProcessor
/server/logger/ProcessRunner
/server/logger/ProcessTracker
/server/logger/ExecProcessor
/server/logger/CronScheduler

I would probably try experimenting with each of these in turn to see which combination gives you the debug output you need. The nice thing about enabling these as REST calls is that you don't have to restart splunkd inbetween. But, these settings are not persisted - they'll be undone when you do restart splunkd.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-13-2012 08:58 AM

That is correct. These are all REST logging config endpoints. I would not expect them to appear in log.cfg.

0 Karma
Reply

kbecker
Communicator
‎02-13-2012 07:40 AM

This is via the Rest API. I don't see any of these in the log.cfg config file.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...