You might need to search host logs for error and failure events when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- System log data
While metrics help you isolate which hosts are having problems and when those problems began, logs and events generally contain information needed to get to the true cause of the issue. You want to use Splunk to isolate logs and events coming from the host and look for any common indicators of trouble such as “error” or “failed”.
To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
host=* sourcetype=* (error OR fail*)
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|host=*||Search any host in your deployment.|
|sourcetype=* (error OR fail*)||Search any source type in your deployment.|
|(error OR fail*)||Search for error or failure events.|
These search results give you easy and quick visibility into which hosts and data sources you need to investigate.