Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

warning msg with the msg "See search.log for more details." (should be searches.log)

inventsekar
SplunkTrust
SplunkTrust
‎12-19-2024 07:08 PM

Dear Splunk Dev team, 

One more simple typo issue: 

Splunk fresh install 9.4.0 (last week's version 9.3.2 also had this issue, but i thought to wait to post this till next version) showing the warning msg - "Error in 'lookup' command: Could not construct lookup 'test_lenlookup, data'. See search.log for more details."

(on older splunk versions i remember this search.log, but nowadays both search.log and searches.log are not available)

inventsekar_0-1734663169491.png

 

https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself

as per what Splunk logs about itself, it should be "See searches.log for more details."


one more bigger issue -both search.log or searches.log are not available.

All these searches are not returning anything
(the doc says that - The Splunk search logs are located in sub-folders under $SPLUNK_HOME/var/run/splunk/dispatch/. )

 

 

 

index=_* source="*search.log"
OR
index=_* source="*searches.log"
OR
index=_* source="C:\Program Files\Splunk\var\run\splunk\dispatch*"

 

 

 

 

will post this to Splunk Slack as well, thanks. 

If any post helped you in anyway, pls consider adding a karma point, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Labels (1)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-20-2024 07:47 AM

You're supposed to check the log for this search, not the general logs ingested into _internal. Log for a particular search is - as far as I remember - a part of the artifacts package from the search and gets removed after the search outlives its retention. So search.log is the thing that you get to by clocking at Job -> Inspect Job and there you have the link to see the search.log

And in your case it's probably an issue with permissions (you haven't exported the script itself properly from the app - I struggled with it for a long time myself; you can't do it via GUI, exporting lookup definition is not sufficient, you must export the script and allow reading)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2024 05:11 AM

The Splunk dev team is not here.  This is a Splunk community (user) site.

The term 'search.log' is correct.  These files are not indexed, but are accessible via the Job Inspector.

The cited docs links says that searches.log is no longer used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...