Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I see log entries monitoring splunkd.log via search that do not appear in splunkd.log?

wrangler2x
Motivator
‎07-12-2016 10:51 AM

I was under the impression that if I did index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" realtime that it would be the same as doing a tail -f /opt/splunk/var/log/splunk/splunkd.log (in Linux). That seems to not be quite so.

I was explaining this to a co-worker and showed a tail -f while on another screen running the search in real-time. Yes, I saw everything showing in the tail -f in the search window, but in the search window I saw two other log entry types that were not showing on the other screen: INOFO HttpPubSubConnection and ERROR DiskMon. Here are a couple of samples (with IP redacted):

  1. 07-12-2016 10:38:47.075 -0700 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_xxx.xxx.xxx.xxx_8089_oda1b.oit.uci.edu_oda1b_18CB2BD0-0207-47E0-B4E7-C62BAC751304
  2. 07-12-2016 10:38:42.159 -0700 ERROR DiskMon - None such on disk: /opt/splunk/var/run/splunk/dispatch

And, if I grep for HttpPubSubConnection or DiskMon in /opt/splunk/var/log/splunk/splunkd.log I get nothing back. So where are these log entries coming from, and why do I not see exactly the same thing on both screens?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-12-2016 10:59 AM

How many Splunk systems are in your environment?

The following search will return events from any host that is monitoring the file /opt/splunk/var/log/splunk/splunkd.log

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log"

If, for example, you have two different search heads, or a search head and an indexer, than your splunk search might be returning data from multiple hosts.

View solution in original post

Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎07-12-2016 10:59 AM

How many Splunk systems are in your environment?

The following search will return events from any host that is monitoring the file /opt/splunk/var/log/splunk/splunkd.log

index=_internal source="/opt/splunk/var/log/splunk/splunkd.log"

If, for example, you have two different search heads, or a search head and an indexer, than your splunk search might be returning data from multiple hosts.

Reply
Solved! Jump to solution

wrangler2x
Motivator
‎07-12-2016 11:11 AM

Yes, that is what it was. And as @somesoni2 suggested, I added a host filter and the results now match. Thanks guys.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-12-2016 10:57 AM

Were you running your query for the exact same host (host filter explicitly specified)?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...