Monitoring Splunk

How to catch ERROR events in search processes

lukasz92
Communicator

Hi,

Is it possible to create a search, that finds all "ERROR" messages in search.log for all search jobs?
I tried to search it in _internal - but not found.

Tags (2)
0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Hi lukasz92,

The short answer is No. search.log files are not stored under $SPLUNK_HOME/var/log/splunk/ but are written to SPLUNK_HOME/var/run/splunk/dispatch// .
Scheduled jobs (scheduled saved searches) include the saved search name as part of the directory name.

Search jobs manifest as a process in the OS. There are two processes in Linux for each search job: search-launcher and process-runner. You can isolate all the Splunk search processes with: ps -ef | grep search. The main job is the one using system resources and contains search --id in its name.

Hope this helps. Thanks!
Hunter

View solution in original post

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi lukasz92,

The short answer is No. search.log files are not stored under $SPLUNK_HOME/var/log/splunk/ but are written to SPLUNK_HOME/var/run/splunk/dispatch// .
Scheduled jobs (scheduled saved searches) include the saved search name as part of the directory name.

Search jobs manifest as a process in the OS. There are two processes in Linux for each search job: search-launcher and process-runner. You can isolate all the Splunk search processes with: ps -ef | grep search. The main job is the one using system resources and contains search --id in its name.

Hope this helps. Thanks!
Hunter

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...