Monitoring Splunk

Search.log records related to past search

lukasmecir
Path Finder

Hi,

I have question about search.log. I know I can find log records related to particular search in search.log using Job inspector (clicking on link to search.log in bottom of Job inspector). But my question is: is there any way how to get records related to particular search in past? Example: I made some search yesterday and today I would like to get all log records related to this search from search.log file. Is there any way how to do it? Thanks in advance for any info or hint.

Best regards

Lukas

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

By default, ad-hoc search results expire after 10 minutes so there's no way to get the log for yesterday's searches, unless you used the Share button to extend the expiration time of the search.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lukasmecir
Path Finder

Thanks for info, honestly I was afraid about it, but it is good to get confirmation from someone well experienced. Just for clarification - it means, that all records related to particular search are deleted from search.log file 10 minutes after search was performed (with default setting)?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>