Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

where does splunk store the logs which specify starting/stoping the splunk ?

AKG1_old1
Builder
‎02-23-2017 06:54 AM

Hi,

I want to keep track of splunk startup and stop.

I have checked splunkd.log file but its not clearly specifying started/stopped sucessfully. Even when we start/stop Splunk using command line. It shows message like below on screen. Not sure if same information is stored in some file.

Starting splunk server daemon (splunkd)...
Done
[ OK ]

Stopping splunk helpers...
[ OK ]
Done.

Question:
Is there any logs which specify that splunk started /stopped successfully ?

Thanks
Ankit

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-23-2017 07:22 AM

I doubt stdout for restarts is stored directly but there is similar stuff inside $SPLUNK_HOME/var/log/splunk/splunkd.log and also mongod.log; look for "stop*", "clos*", "shut*", and "flush*". If you are looking something else, check out audit.log; I am sure there is a clear "splunk was shut down" and "splunk was started" event there. You can try a search like this:

index=_* stop* OR start* OR clos* OR shut OR flush*

And then look at the Patterns tab to clump events.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-23-2017 07:22 AM

I doubt stdout for restarts is stored directly but there is similar stuff inside $SPLUNK_HOME/var/log/splunk/splunkd.log and also mongod.log; look for "stop*", "clos*", "shut*", and "flush*". If you are looking something else, check out audit.log; I am sure there is a clear "splunk was shut down" and "splunk was started" event there. You can try a search like this:

index=_* stop* OR start* OR clos* OR shut OR flush*

And then look at the Patterns tab to clump events.

Reply
Solved! Jump to solution

AKG1_old1
Builder
‎02-23-2017 08:25 AM

Thank you 🙂

audit.log worked perfect for me as we are already monitoring audit.log

action=splunkShuttingDown
action=splunkStarting

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-23-2017 07:10 AM

It should be in splunkd_stderr.log

$SPLUNK_HOME/var/log/splunk

http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/WhatSplunklogsaboutitself

0 Karma
Reply
Solved! Jump to solution

AKG1_old1
Builder
‎02-23-2017 08:24 AM

Thanks for your help !! splunkd_stderr.log shows following message.

2017-02-23 16:44:04.148 +0100 splunkd started (build 59c8927def0f) For startup
2017-02-23 16:44:25.885 +0100 Interrupt signal received - for stop

but audit.log worked perfect for me as we are already monitoring audit.log
audit.log
action=splunkShuttingDown
action=splunkStarting

Thanks
Ankit

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...