Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I see log entries monitoring splunkd.log via search that do not appear in splunkd.log?

wrangler2x
Motivator
‎07-12-2016 10:51 AM

I was under the impression that if I did index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" realtime that it would be the same as doing a tail -f /opt/splunk/var/log/splunk/splunkd.log (in Linux). That seems to not be quite so.

I was explaining this to a co-worker and showed a tail -f while on another screen running the search in real-time. Yes, I saw everything showing in the tail -f in the search window, but in the search window I saw two other log entry types that were not showing on the other screen: INOFO HttpPubSubConnection and ERROR DiskMon. Here are a couple of samples (with IP redacted):

  1. 07-12-2016 10:38:47.075 -0700 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_xxx.xxx.xxx.xxx_8089_oda1b.oit.uci.edu_oda1b_18CB2BD0-0207-47E0-B4E7-C62BAC751304
  2. 07-12-2016 10:38:42.159 -0700 ERROR DiskMon - None such on disk: /opt/splunk/var/run/splunk/dispatch

And, if I grep for HttpPubSubConnection or DiskMon in /opt/splunk/var/log/splunk/splunkd.log I get nothing back. So where are these log entries coming from, and why do I not see exactly the same thing on both screens?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-12-2016 10:59 AM

How many Splunk systems are in your environment?

The following search will return events from any host that is monitoring the file /opt/splunk/var/log/splunk/splunkd.log

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log"

If, for example, you have two different search heads, or a search head and an indexer, than your splunk search might be returning data from multiple hosts.

View solution in original post

Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-12-2016 10:59 AM

How many Splunk systems are in your environment?

The following search will return events from any host that is monitoring the file /opt/splunk/var/log/splunk/splunkd.log

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log"

If, for example, you have two different search heads, or a search head and an indexer, than your splunk search might be returning data from multiple hosts.

Reply
Solved! Jump to solution

wrangler2x
Motivator
‎07-12-2016 11:11 AM

Yes, that is what it was. And as @somesoni2 suggested, I added a host filter and the results now match. Thanks guys.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-12-2016 10:57 AM

Were you running your query for the exact same host (host filter explicitly specified)?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...