Solved: Where the logs for runtime search errors and searc...

mngeow · ‎05-18-2017

Hi,

I am still relatively new to Splunk. I'm trying to analyze the splunk internal logs. I am currently trying to find the logs for the following:

Runtime Search Errors
Search Response Time

For runtime search errors, I really have no idea where the logs are stored.

I do have some idea on where the search response times can be found. I have looked in the splunk_access and splunk_web_access and found the response times. But I am not sure of the difference between the two.

I am also trying to understand the syntax of the logs as well, would be helpful if you could shed some light on that as well.

Thank you.

cmerriman · ‎05-19-2017

http://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/AboutAccessLogs

it looks like the duration for both the splunk_web_access and splunkd_access logs are the same, but web_access offers new components starting in 6.2.0.

you can look through the _audit and _internal indexes for user search history. I use the _internal index to look if scheduled searches had errors, if that helps.

View solution in original post

cmerriman · ‎05-19-2017

http://docs.splunk.com/Documentation/Splunk/6.6.0/Troubleshooting/AboutAccessLogs

it looks like the duration for both the splunk_web_access and splunkd_access logs are the same, but web_access offers new components starting in 6.2.0.

you can look through the _audit and _internal indexes for user search history. I use the _internal index to look if scheduled searches had errors, if that helps.

Where the logs for runtime search errors and search response times are stored?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms