Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

warning msg with the msg "See search.log for more details." (should be searches.log)

inventsekar
SplunkTrust
SplunkTrust
‎12-19-2024 07:08 PM

Dear Splunk Dev team, 

One more simple typo issue: 

Splunk fresh install 9.4.0 (last week's version 9.3.2 also had this issue, but i thought to wait to post this till next version) showing the warning msg - "Error in 'lookup' command: Could not construct lookup 'test_lenlookup, data'. See search.log for more details."

(on older splunk versions i remember this search.log, but nowadays both search.log and searches.log are not available)

inventsekar_0-1734663169491.png

 

https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself

as per what Splunk logs about itself, it should be "See searches.log for more details."


one more bigger issue -both search.log or searches.log are not available.

All these searches are not returning anything
(the doc says that - The Splunk search logs are located in sub-folders under $SPLUNK_HOME/var/run/splunk/dispatch/. )

 

 

 

index=_* source="*search.log"
OR
index=_* source="*searches.log"
OR
index=_* source="C:\Program Files\Splunk\var\run\splunk\dispatch*"

 

 

 

 

will post this to Splunk Slack as well, thanks. 

If any post helped you in anyway, pls consider adding a karma point, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Labels (1)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-20-2024 07:47 AM

You're supposed to check the log for this search, not the general logs ingested into _internal. Log for a particular search is - as far as I remember - a part of the artifacts package from the search and gets removed after the search outlives its retention. So search.log is the thing that you get to by clocking at Job -> Inspect Job and there you have the link to see the search.log

And in your case it's probably an issue with permissions (you haven't exported the script itself properly from the app - I struggled with it for a long time myself; you can't do it via GUI, exporting lookup definition is not sufficient, you must export the script and allow reading)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2024 05:11 AM

The Splunk dev team is not here.  This is a Splunk community (user) site.

The term 'search.log' is correct.  These files are not indexed, but are accessible via the Job Inspector.

The cited docs links says that searches.log is no longer used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...