Hi,
I am still relatively new to Splunk. I'm trying to analyze the splunk internal logs. I am currently trying to find the logs for the following:
For runtime search errors, I really have no idea where the logs are stored.
I do have some idea on where the search response times can be found. I have looked in the splunk_access and splunk_web_access and found the response times. But I am not sure of the difference between the two.
I am also trying to understand the syntax of the logs as well, would be helpful if you could shed some light on that as well.
Thank you.
http://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/AboutAccessLogs
it looks like the duration for both the splunk_web_access and splunkd_access logs are the same, but web_access offers new components starting in 6.2.0.
you can look through the _audit and _internal indexes for user search history. I use the _internal index to look if scheduled searches had errors, if that helps.
http://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/AboutAccessLogs
it looks like the duration for both the splunk_web_access and splunkd_access logs are the same, but web_access offers new components starting in 6.2.0.
you can look through the _audit and _internal indexes for user search history. I use the _internal index to look if scheduled searches had errors, if that helps.