Solved: How to catch ERROR events in search processes

lukasz92 · ‎01-16-2017

Hi,

Is it possible to create a search, that finds all "ERROR" messages in search.log for all search jobs?
I tried to search it in _internal - but not found.

hunters_splunk · ‎01-16-2017

Hi lukasz92,

The short answer is No. search.log files are not stored under $SPLUNK_HOME/var/log/splunk/ but are written to SPLUNK_HOME/var/run/splunk/dispatch// .
Scheduled jobs (scheduled saved searches) include the saved search name as part of the directory name.

Search jobs manifest as a process in the OS. There are two processes in Linux for each search job: search-launcher and process-runner. You can isolate all the Splunk search processes with: ps -ef | grep search. The main job is the one using system resources and contains search --id in its name.

Hope this helps. Thanks!
Hunter

View solution in original post

hunters_splunk · ‎01-16-2017

Hi lukasz92,

The short answer is No. search.log files are not stored under $SPLUNK_HOME/var/log/splunk/ but are written to SPLUNK_HOME/var/run/splunk/dispatch// .
Scheduled jobs (scheduled saved searches) include the saved search name as part of the directory name.

Search jobs manifest as a process in the OS. There are two processes in Linux for each search job: search-launcher and process-runner. You can isolate all the Splunk search processes with: ps -ef | grep search. The main job is the one using system resources and contains search --id in its name.

Hope this helps. Thanks!
Hunter

How to catch ERROR events in search processes

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud