Splunk_Docker/files/splunk-etc/log.cfg

#   Version 9.2.2.20240415
# log.cfg
# This file contains the debugging output controls
# Customers can change debugging levels as needed with output going to
# $SPLUNK_HOME/var/log/splunk/splunkd_std...
#
# Organized by codebase area, and by alpha case-insensitive within each such area.
#
# NOTE:
# Changes to log destinations will break functionality depending on their
# standard location. Log files will not be collected by `splunk diag`, the
# log contents will likely not be available to search (unless inputs are
# adjusted), and even if they are the sourcetyping will likely not be correct,
# impairing searches against internal indexes, used by among other things the
# Monitoring Console (DMC).
# Symbolic links to the directory ($SPLUNK_HOME/var/log or 
# $SPLUNK_HOME/var/log/splunk) are the advised alternative.
#
[splunkd]
rootCategory=WARN,A1
# AwsSDK
category.AwsSDK=FATAL
# Offloading Search Artifacts to Remote Storage
category.DispatchStorageManager=INFO
# MetricStore
category.CatalogSearchJob=INFO
category.MetricStoreCatalogBaseHandler=INFO
category.MetricsHandler=INFO
category.DimensionsHandler=INFO
category.MetricSchemaProcessor=INFO
category.MetricsRollupPolicy=INFO
category.MetricsRollupPolicyHandler=INFO
category.MetricsRollupSavedSearchHandler=INFO
category.MetricsRollupSearchProcessor=INFO
category.MetricAlertManager=INFO
category.MetricAlertConditionEvaluator=INFO
category.MetricAlertAdminHandler=INFO
category.MetricAlert=INFO
# TailingProcessor is meant to be used at level INFO -- without it, analyzing a
# normal diag becomes much harder.  Do NOT remove the TailingProcessor logger.
category.TailingProcessor=INFO
category.WatchedFile=INFO
category.ChunkedLBProcessor=INFO
category.ArchiveProcessor=INFO
category.MetricsProcessor=INFO
category.TailReader=INFO
category.BucketBuilder=INFO
category.AuthenticationProviderLDAP=INFO
category.ApplicationManager=INFO
category.AuthenticationManager=INFO
category.ApplicationUpdater=INFO
#ProxySso
category.AuthenticationProviderProxySso=INFO
category.ProxySsoConfig=INFO
# Token Auth
category.JsonWebToken=INFO
category.JsonWebTokenHandler=INFO
category.RemoteAccessToken=INFO
category.IACSessionToken=INFO
category.LoggedOutSessionManager=INFO
category.SessionManager=INFO
# SCS
category.SCSTokenHandler=INFO
category.SCSTenantConfigHandler=INFO
category.ScsConfig=INFO
category.ScsClient=INFO
category.ScsTokenValidator=INFO
# Scripted
category.AuthenticationProviderScripted=INFO
category.ScriptedAuthHelper=INFO
# Certificates
category.CertificateData=INFO
category.CertManagerHandler=INFO
# SAML 
category.UiSAML=INFO
category.Saml=INFO
category.AuthenticationProviderSAML=INFO
category.SAMLConfig=INFO
category.AttrQueryRequestJob=INFO
category.CertStorageProvider=INFO
# MFA
category.Duo2FA=INFO
category.Rsa2FA=INFO
category.MultiFactorAuthManager=INFO
# indexer
category.BucketMover=INFO
category.BucketReplicator=INFO
category.ColdStorageArchiver=INFO
category.DatabaseDirectoryManager=INFO,buffered
category.DbMaxSizeManager=INFO
category.DeleteSearchHelper=INFO
category.DiskMon=INFO
category.Fsck=INFO
category.HeartbeatService=INFO
category.HotBucketRoller=INFO
category.HotBucketStreaming=INFO
category.HotBucketStreaming:Command=DEBUG
category.HotBucketStreaming:Metrics=INFO
category.HotBucketTasks=INFO
category.HotBucketTasks:Metrics=INFO
category.HotDBManager=INFO
category.IndexConfig=INFO
category.IndexerIf=INFO
category.IndexerInit=INFO
category.IndexerService=INFO
category.IndexProcessor=INFO
category.IndexReaderIf=INFO
category.IndexWriter=INFO
category.LocalBucketIdGenerator=INFO
category.OnlineFsck=INFO
category.PreShutdownIndexingCleaner=INFO
category.ProcessTracker=INFO
category.RollAndUploadHotBuckets=INFO
category.RollAndUploadHotBuckets:Metrics=INFO
category.SelfStorageArchiver=INFO
category.StreamGroup=INFO
category.TimeInvertedIndex=INFO
category.VolumeManager=INFO
category.RTRouter=INFO
category.SmartbusBootstrapper=INFO
# To enable verbose logging from the splunk-optimize external process into splunkd.log,
# set "category.SplunkOptimize" = INFO or DEBUG.
# Ingest Actions
category.RfsOutputProcessor=INFO
category.RfsOutputWorker=INFO
category.RfsDestination=INFO
category.TeeProcessor=INFO
category.StreamPDataSubscribers=INFO
category.RfsOutputHealthReport=INFO
category.IngestActionsRulesHandler=INFO
category.IngestActionsRfsDestinationHandler=INFO
# deployment server & client
category.Application=INFO
category.ClientSelectionSupport=INFO
category.ClientSessionsManager=INFO
category.ClientSessionsManager:Listener_AppEvents=INFO
category.ClientSessionsManager:Listener_Phonehomes=INFO
category.ClientSessionsManager:Listener_Registrar=INFO
category.DeployedApplication=INFO
category.DeployedServerclass=INFO
category.DC:DeploymentClient=INFO
category.DC:UpdateServerclassHandler=INFO
category.DC:HandshakeReplyHandler=INFO
category.DC:PhonehomeThread=INFO
category.DeploymentServer=INFO
category.DeploymentServerAdminHandler=INFO
category.DeploymentServerReload=INFO
category.DCManager=INFO
category.DSConfigInterfaces=INFO
category.DS_DC_Common=INFO
category.DSClientFilter=INFO
category.DSClientsAdminHandler=INFO
category.DSManager=INFO
category.FilterManagingHandlerSupport=INFO
category.PackageDownloadRestHandler=INFO
category.Serverclass=INFO
category.ServerclassAdminHandler=INFO
category.DeploymentServer:Listener_Handshake=INFO
# The REST_Calls logger is only active at DEBUG.
category.REST_Calls=INFO
# For problems encountered when collecting i-data.  But i-data itself goes into
# separate appenders:
# - appender.idata_ResourceUsage 
# - appender.idata_DiskObjects
# - appender.idata_KVStore
category.IntrospectionGenerator:resource_usage=INFO
category.IntrospectionGenerator:disk_objects=INFO
category.IntrospectionGenerator:kvstore=INFO
category.KeyManagerLocalhost=INFO
category.KeyManagerSearchPeers=INFO
category.KeyManagerSettings=INFO
category.ModularInputs=INFO
category.NetUtils=INFO
category.PipelineComponent=INFO
category.PrometheusMetricsHandler=INFO
category.ProxyConfig=INFO
category.QueryLanguageParser=WARN
category.ServerConfig=INFO
category.ServerRoles=INFO
category.Shutdown=INFO
category.SpecFiles=INFO
category.SSLCommon=INFO
category.TcpOutputProc=INFO
category.AutoLoadBalancedConnectionStrategy=INFO
category.TcpInputConfig=INFO
category.TcpInputProc=INFO
category.RetireOldS2S=INFO
category.ThruputProcessor=INFO
category.UDPInputProcessor=INFO
category.ViewstateReaper=INFO
category.ScheduledViewsReaper=INFO
category.ScheduledViewsMatcher=INFO
category.WinEventLogInputProcessor=INFO
category.WinEventLogChannel=INFO
category.WinEventLog=INFO
category.BundlesSetup=INFO
category.BundlesUtil=INFO
category.Archiver=INFO
category.HttpEventCollector=INFO
category.ConfBulkCopier=INFO
category.LimitsHandler=INFO
# local proxy
category.LocalProxyRestHandler=INFO
# cascading-replication
category.CascadePlan=WARN
category.CascadePlansHandler=WARN
category.CascadeReplicationReaper=WARN
category.CascadingReplicationManager=INFO
category.CascadingUploadHandler=WARN
category.CascadingReplicationTransaction=WARN
# workload-management
category.WorkloadManager=INFO
category.WorkloadConfig=INFO
category.WorkloadClass=WARN
category.CgroupMapper=WARN
# pub-sub
category.HttpPubSubConnection=INFO
category.HttpPubSubSvr=INFO
category.PubSubSvr=INFO
category.DSGlobalConfigManager=INFO
# knowledge bundle replication
category.DistributedBundleReplicationManager=WARN
category.BundleReplicationProvider=WARN
category.ClassicBundleReplicationProvider=WARN
category.CascadingBundleReplicationProvider=WARN
category.RFSBundleReplicationProvider=WARN
category.RFSManager=WARN
# SPL-82288
category.ProcessDispatchedSearch=ERROR
# Config Audit
category.ConfigWatcher=INFO
category.ConfigWatcherThread=INFO
# category.DispatchCommand no longer exists to get the same logging you can turn on these categories:
# 
# category.BundleReplicatorThread
# category.DispatchCommandProcessor
# category.DispatchCommandUtils
# category.DispatchManager
# category.DispatchProcess
# category.DispatchSearchMetadata
# category.DispatchThread
# category.ISplunkDispatch
# category.ProviderQueue
# category.SearchStateListener
category.SearchShutdown=INFO
category.BackgroundJobRestarter=INFO
category.ExecProcessor=INFO
category.ExecProcessor:Introspect=INFO
category.LatestIdataEndpoints=INFO
category.IOWaitHealthReport=INFO
category.DistributedLeaseManager=INFO
# licenser
category.LicenseMgr=INFO
category.LMAdminHandlerLicenses=INFO
category.LMAdminHandlerMessages=INFO
category.LMAdminHandlerMeta=INFO
category.LMAdminHandlerPools=INFO
category.LMAdminHandlerSlaves=INFO
category.LMAdminHandlerTracker=INFO
category.LMApplyResponse=INFO
category.LMConfig=INFO
category.LMDirective=INFO
category.LMHttpUtil=INFO
category.LMLicense=INFO
category.LMMasterRestHandler=INFO
category.LMMessageMgr=INFO
category.LMPool=INFO
category.LMRows=INFO
category.LMSlaveInfo=INFO
category.LMStack=INFO
category.LMStackMgr=INFO
category.LMTracker=INFO
category.LMTrackerDb=INFO
category.LMUtil=INFO
category.LMViolation=INFO
# clustering
category.CMBucketId=INFO
category.CMBucketRemovalPipe=INFO
category.CMMaster=INFO,buffered
category.CMManager = INFO,buffered
category.CMMasterRemoteStorageThread=INFO
category.CMCorruptBucketFixup=INFO
category.CMManagerRemoteStorageThread=INFO
category.CMIndexerDiscovery=INFO
category.CMMasterProxy=INFO
category.CMManagerProxy=INFO
category.CMRollingManager=INFO
category.ClusteringMgr=INFO
category.CMSlave=INFO,buffered
category.CMLocalBucketExecutor=INFO,buffered
category.CMFallbackMaster=INFO
category.CMFallbackManager=INFO
category.CMConfig=INFO
category.CMPeer=INFO,buffered
category.CMRepJob=INFO
category.CMBucket=INFO,buffered
category.ClusterSlaveInfoHandler=INFO
category.ClusterSlaveBucketHandler=INFO
category.ClusterSlaveControlHandler=INFO
category.ClusterSlaveConfigReloader=INFO
category.ClusterPeerInfoHandler=INFO
category.ClusterPeerBucketHandler=INFO
category.ClusterPeerControlHandler=INFO
category.ClusterPeerConfigReloader=INFO
category.ClusterMasterBucketHandler=INFO
category.ClusterMasterPeerHandler=INFO
category.ClusterMasterControlHandler=INFO
category.ClusterManagerBucketHandler=INFO
category.ClusterManagerPeerHandler=INFO
category.ClusterManagerControlHandler=INFO
category.CMBucketLocator=INFO
category.CMBundleMgr=INFO
category.S2SFileReceiver=INFO
category.CMMasterHTTPProxy=INFO
category.CMManagerHTTPProxy=INFO
category.StreamingBucketBuilder=INFO
category.CMServiceThread=INFO
category.CMMasterServiceThread=INFO
category.CMManagerServiceThread=INFO
category.CMHeartbeatThread=INFO
category.CMHAHeartbeatThread=INFO
category.CMStandby=INFO
category.CMHAInfo=INFO
category.CMRedundancy=INFO
category.CMSearchFilesSyncer=INFO
category.CMReplicationRegistry=INFO
category.BundleJob=INFO
category.ClusterBundleValidator=INFO
category.Fixup=INFO
category.FixupStrategy=INFO
category.CMMultiSiteSelector=INFO
category.PipeFlusher=INFO
category.CMProxyManager=INFO
category.CMRepThruputManager=INFO
category.CMUsageRebalance=INFO
category.CMBucketUsage=INFO
# SmartStore on GCS
category.GCSClient=INFO
# SmartStore on Azure
category.AzureStorageClient=INFO
#shclustering
category.SHCConfig=INFO
category.SHCRaftConsensus=INFO
category.SHCRepJob=INFO
category.SHClusterMgr=INFO
category.SHCMaster=INFO
category.SHCSlave=INFO
category.ArtifactReplicator=INFO
#remote-queues
category.RemoteQueueOutputProcessor=INFO
category.RemoteQueueInputProcessor=INFO
category.SQSSmartbusInputWorker=INFO
category.SQSCloudProcessorOutputWorker=INFO
category.SqsWorkerGlobalMetricsManager=INFO
category.DataLakeInputProcessor=INFO
category.DataLakeInputInfo=INFO
category.SQSDataLakeWorker=INFO
# leave loader at INFO!  this is what gives us our build + system info...
category.loader=INFO
category.ulimit=INFO
category.TPool=INFO
category.MPool=INFO
# kvstore
category.MongoDriver=ERROR
category.MongodRunner=INFO
category.MongoLookup=WARN 
category.StateStoreLookup=WARN 
category.KVStorageEngineUpgrade=INFO
category.KVStoreBackupRestore=INFO
category.KVStoreAdminHandler=INFO
category.KVStoreUIStateProvider=INFO
category.CollectionCacheManager=INFO
category.CollectionFetchJob=INFO
category.S3CollectionFetchJob=INFO
category.SHCMasterKVStoreMigrationState=INFO
#modular alerts
category.sendmodalert=INFO
#telemetry
category.TelemetryHandler=INFO
#distributed tracer
category.DistributedTracer=INFO
# BBM
category.BulletinBoardManager=WARN
category.BulletinBoard = INFO
# CacheManager
category.CacheManager=INFO,buffered
category.CacheManagerHandler=WARN
# Remote Storage
category.StorageInterface = INFO
# Noah
category.BatchRequestHandler = INFO
category.BatchRequestHandler:Metrics = INFO
category.IndexBootstrapper = INFO
category.EarlyRepairManager = INFO
category.DisasterRecoveryManager = INFO
category.NoahConfiguration=INFO
category.NoahHeartbeat=INFO
category.NoahIndexerClient=INFO
category.NoahSearchPeerFetcher=INFO
category.NoahSearchPeerThread=INFO
category.NoahSearchPeerInfoCache=INFO
category.UiHttpListener=INFO
# state-free search
category.HandleStateFreeJobsDataProvider=INFO
# FADE
category.FileAndDirectoryEliminator=INFO
# UI appserver startup messages
category.UiAppServer=INFO
# Pathname, Windows only
category.Pathname=INFO
# SSAI (formerly known as DMC)
category.DMCRunner=INFO
# Bucket Merge
category.BucketMerger=INFO
# Per transform rule metrics
category.RegexExtractionTransformStats=INFO
#
# we're not sending stuff to the console anymore
# now that we're daemonized.
#
appender.rootAppender=ConsoleAppender
appender.rootAppender.layout=PatternLayout
appender.rootAppender.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
# if these log files are getting too big for your liking, turn down the maxFileSize.
# it's best to not make them too small, however, because these logs can be very
# useful in troubleshooting.
appender.A1=RollingFileAppender
appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log
appender.A1.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.A1.maxBackupIndex=5
appender.A1.layout=PatternLayout
# The timstamp patterns used for the Splunkd logs should be kept in synchronization with:
# - etc/system/default/props.conf [splunkd] TIME_FORMAT
# - src/framework/SplunkdTimestamp.cpp
appender.A1.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c [%T %t] - %m%n
### Configure buffering and buffer size - For Splunk internal purpose Only!!
###
### category.CMMaster=INFO,A1,A2,buffered
### appender.A1.bufferSize=16384 # in bytes
###
### DO NOT USE APPENDER A3!
###
### This used to be used for splunklogger.log, which has gone away.  We don't
### want user settings for the old splunklogger to inadvertently take effect
### on whatever A3 ends up being used for...
### 
### appender.A3.fileName=${SPLUNK_HOME}/var/log/splunk/splunklogger.log
###
appender.license_usage=RollingFileAppender
appender.license_usage.fileName=${SPLUNK_HOME}/var/log/splunk/license_usage.log
appender.license_usage.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.license_usage.maxBackupIndex=5
appender.license_usage.layout=PatternLayout
appender.license_usage.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.LicenseUsage=INFO,license_usage
appender.license_usage_summary=RollingFileAppender
appender.license_usage_summary.fileName=${SPLUNK_HOME}/var/log/splunk/license_usage_summary.log
appender.license_usage_summary.maxFileSize=5000000 # max size of 5MB so that max size on disk will be 25 MB
appender.license_usage_summary.maxBackupIndex=5
appender.license_usage_summary.layout=PatternLayout
appender.license_usage_summary.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.LicenseUsageSummary=INFO,license_usage_summary
appender.A4=RollingFileAppender
appender.A4.fileName=${SPLUNK_HOME}/var/log/splunk/searchhistory.log
appender.A4.maxFileSize=0
# Note: the searchhistory.log logfile is not used, as of Splunk 4.3 release.
# metrics spews a lot of logs, let's not pollute the other files.
appender.metrics=RollingFileAppender
appender.metrics.fileName=${SPLUNK_HOME}/var/log/splunk/metrics.log
appender.metrics.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.metrics.maxBackupIndex=5
appender.metrics.layout=PatternLayout
appender.metrics.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.Metrics=INFO,metrics
# audit logs go a separate file
appender.audittrail=RollingFileAppender
appender.audittrail.fileName=${SPLUNK_HOME}/var/log/splunk/audit.log
appender.audittrail.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.audittrail.maxBackupIndex=5
appender.audittrail.layout=PatternLayout
appender.audittrail.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.AuditLogger=INFO,audittrail
#splunkd http server acccess log
appender.accesslog=RollingFileAppender
appender.accesslog.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd_access.log
appender.accesslog.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.accesslog.maxBackupIndex=5
appender.accesslog.layout=PatternLayout
appender.accesslog.layout.ConversionPattern=%m%n
category.HTTPAccess=INFO,accesslog
#splunkd access log for web UI port
appender.uiaccess=RollingFileAppender
appender.uiaccess.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd_ui_access.log
appender.uiaccess.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.uiaccess.maxBackupIndex=5
appender.uiaccess.layout=PatternLayout
appender.uiaccess.layout.ConversionPattern=%m%n
category.WebUiAccess=INFO,uiaccess
#splunkd search scheduler log
appender.scheduler=RollingFileAppender
appender.scheduler.fileName=${SPLUNK_HOME}/var/log/splunk/scheduler.log
appender.scheduler.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.scheduler.maxBackupIndex=5
appender.scheduler.layout=PatternLayout
appender.scheduler.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.SavedSearchAuditor=INFO,scheduler
category.SavedSearchHistory=INFO,scheduler
category.SavedSplunker=INFO,scheduler
#splunkd remote searches log
appender.remotesearches=RollingFileAppender
appender.remotesearches.fileName=${SPLUNK_HOME}/var/log/splunk/remote_searches.log
appender.remotesearches.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.remotesearches.maxBackupIndex=5
appender.remotesearches.layout=PatternLayout
appender.remotesearches.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.StreamedSearch=INFO,remotesearches
# Introspection output (i-data): Resource Usage
appender.idata_ResourceUsage=RollingFileAppender
appender.idata_ResourceUsage.fileName=${SPLUNK_HOME}/var/log/introspection/resource_usage.log
appender.idata_ResourceUsage.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.idata_ResourceUsage.maxBackupIndex=5
appender.idata_ResourceUsage.layout=PatternLayout
appender.idata_ResourceUsage.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.idata_ResourceUsage.serialization=JSON
category.IOStats=INFO,idata_ResourceUsage
category.IOWait=INFO,idata_ResourceUsage
category.Hostwide=INFO,idata_ResourceUsage
category.PerProcess=INFO,idata_ResourceUsage
#splunkd configuration system log
appender.conf=RollingFileAppender
appender.conf.fileName=${SPLUNK_HOME}/var/log/splunk/conf.log
appender.conf.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.conf.maxBackupIndex=5
appender.conf.layout=PatternLayout
appender.conf.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.conf.serialization=JSON
appender.conf.maxMessageSize=1000000
category.ConfOp=INFO,conf
category.ConfDeployment=INFO,conf
# Introspection output (i-data): Disk Objects
appender.idata_DiskObjects=RollingFileAppender
appender.idata_DiskObjects.fileName=${SPLUNK_HOME}/var/log/introspection/disk_objects.log
appender.idata_DiskObjects.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.idata_DiskObjects.maxBackupIndex=5
appender.idata_DiskObjects.layout=PatternLayout
appender.idata_DiskObjects.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.idata_DiskObjects.serialization=JSON
category.Fishbucket=INFO,idata_DiskObjects
category.Indexes=INFO,idata_DiskObjects
category.Summaries=INFO,idata_DiskObjects
category.Volumes=INFO,idata_DiskObjects
category.Dispatch=INFO,idata_DiskObjects
category.Partitions=INFO,idata_DiskObjects
category.DistributedIndexes=INFO,idata_DiskObjects
# Introspection output (i-data): KV Store statistics
appender.idata_KVStore=RollingFileAppender
appender.idata_KVStore.fileName=${SPLUNK_HOME}/var/log/introspection/kvstore.log
appender.idata_KVStore.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.idata_KVStore.maxBackupIndex=5
appender.idata_KVStore.layout=PatternLayout
appender.idata_KVStore.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.idata_KVStore.serialization=JSON
appender.idata_KVStore.maxMessageSize=1000000
category.KVStoreServerStats=INFO,idata_KVStore
category.KVStoreOperationStats=INFO,idata_KVStore
category.KVStoreCollectionStats=INFO,idata_KVStore
category.KVStoreProfilingStats=INFO,idata_KVStore
category.KVStoreReplicaSetStats=INFO,idata_KVStore
# kvstore daemon (mongod) log
appender.kvstore_appender=RollingFileAppender
appender.kvstore_appender.fileName=${SPLUNK_HOME}/var/log/splunk/mongod.log
appender.kvstore_appender.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.kvstore_appender.maxBackupIndex=5
appender.kvstore_appender.layout=PatternLayout
appender.kvstore_appender.layout.ConversionPattern=%m%n
category.mongodlog=INFO,kvstore_appender
# token input metrics
appender.idata_HttpEventCollector=RollingFileAppender
appender.idata_HttpEventCollector.fileName=${SPLUNK_HOME}/var/log/introspection/http_event_collector_metrics.log
appender.idata_HttpEventCollector.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.idata_HttpEventCollector.maxBackupIndex=5
appender.idata_HttpEventCollector.layout=PatternLayout
appender.idata_HttpEventCollector.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.idata_HttpEventCollector.serialization=JSON
category.HttpEventCollector=INFO,idata_HttpEventCollector
# health change log
appender.healthreporter=RollingFileAppender
appender.healthreporter.fileName=${SPLUNK_HOME}/var/log/splunk/health.log
appender.healthreporter.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.healthreporter.maxBackupIndex=5
appender.healthreporter.layout=PatternLayout
appender.healthreporter.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.HealthChangeReporter=INFO,healthreporter
category.PeriodicHealthReporter=INFO,healthreporter
# watchdog log
appender.watchdog_appender=RollingFileAppender
appender.watchdog_appender.fileName=${SPLUNK_HOME}/var/log/watchdog/watchdog.log
appender.watchdog_appender.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.watchdog_appender.maxBackupIndex=5
appender.watchdog_appender.layout=PatternLayout
appender.watchdog_appender.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.Watchdog=INFO,watchdog_appender
category.WatchdogActions=INFO,watchdog_appender
category.Pstacks=INFO,watchdog_appender
category.PstackServerThread=INFO,watchdog_appender
category.PstackGeneratorThread=INFO,watchdog_appender
category.WatchdogStacksUtils=INFO,watchdog_appender
category.WatchdogInit=INFO,watchdog_appender
# shc backup/restore log
category.AppsBackupHandler=INFO
category.AppsRestoreHandler=INFO
category.BackupRestoreThread=INFO
# search messages log (SPL-166549)
appender.searchmsgs_appender=RollingFileAppender
appender.searchmsgs_appender.fileName=${SPLUNK_HOME}/var/log/splunk/search_messages.log
appender.searchmsgs_appender.maxFileSize=10000000 # default: 10MB (specified in bytes)
appender.searchmsgs_appender.maxBackupIndex=5
appender.searchmsgs_appender.layout=PatternLayout
appender.searchmsgs_appender.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.SearchMessages=DEBUG,searchmsgs_appender
# splunk instrumentation cloud data
appender.telemetry_cloud=RollingFileAppender
appender.telemetry_cloud.fileName=${SPLUNK_HOME}/var/log/splunk/splunk_instrumentation_cloud.log
appender.telemetry_cloud.maxFileSize=5000000 # default: 5MB (specified in bytes).
appender.telemetry_cloud.maxBackupIndex=5
appender.telemetry_cloud.layout=PatternLayout
appender.telemetry_cloud.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
appender.telemetry_cloud.serialization=JSON
category.TelemetryCloudData=INFO,telemetry_cloud
# workload management monitoring log
appender.workloadmanager=RollingFileAppender
appender.workloadmanager.fileName=${SPLUNK_HOME}/var/log/splunk/wlm_monitor.log
appender.workloadmanager.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.workloadmanager.maxBackupIndex=5
appender.workloadmanager.layout=PatternLayout
appender.workloadmanager.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
category.WorkloadMonitorLog=INFO,workloadmanager
category.SearchInfoLogger=INFO
# Config file change log
appender.confchangelogger=RollingFileAppender
appender.confchangelogger.fileName=${SPLUNK_HOME}/var/log/splunk/configuration_change.log
appender.confchangelogger.maxFileSize=25000000 # default: 25MB (specified in bytes).
appender.confchangelogger.maxBackupIndex=5
appender.confchangelogger.layout=PatternLayout
appender.confchangelogger.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
appender.confchangelogger.serialization=JSON
# 25MB (specified in bytes).This is the maximum size of the diff that can be logged
# in a single event.
appender.confchangelogger.maxMessageSize=25000000 
category.ConfigChange=INFO,confchangelogger
# mergebuckets.log
appender.mergebuckets=RollingFileAppender
appender.mergebuckets.fileName=${SPLUNK_HOME}/var/log/splunk/mergebuckets.log
appender.mergebuckets.maxFileSize=5000000 # default: 5MB (specified in bytes).
appender.mergebuckets.maxBackupIndex=5
category.MergeBuckets=INFO,mergebuckets
# bucket merger
category.ClusterMergeBucketsHandler=INFO
category.CMBucketMergeManager=INFO
category.BucketMergeHandler=INFO
# search history replication
category.SearchHistory=INFO
category.SearchHistoryMigrate=INFO
#SPL2
category.Spl2Transpiler=INFO
# HTTP Proxy
category.RegisterPackageHandler=INFO
# deployment server
appender.phonehome=RollingFileAppender
appender.phonehome.fileName=${SPLUNK_HOME}/var/log/client_events/phonehomes_${GUID}.log
appender.phonehome.maxFileSize=5000000 # default: 5MB (specified in bytes).
appender.phonehome.maxBackupIndex=5
appender.phonehome.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.phonehome.layout=PatternLayout
appender.phonehome.serialization=JSON
category.DSphonehome=INFO,phonehome
appender.appevent=RollingFileAppender
appender.appevent.fileName=${SPLUNK_HOME}/var/log/client_events/appevents_${GUID}.log
appender.appevent.maxFileSize=10000000 # default: 10MB (specified in bytes).
appender.appevent.maxBackupIndex=5
appender.appevent.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.appevent.layout=PatternLayout
appender.appevent.serialization=JSON
category.DSappevent=INFO,appevent
appender.client=RollingFileAppender
appender.client.fileName=${SPLUNK_HOME}/var/log/client_events/clients_${GUID}.log
appender.client.maxFileSize=1000000 # default: 1MB (specified in bytes).
appender.client.maxBackupIndex=5
appender.client.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-4p %c - %m%n
appender.client.layout=PatternLayout
appender.client.serialization=JSON
category.DSclient=INFO,client
#
# define splunk python logging properties
#
# logging classes are defined by a logging declaration at the log of each
# file.
#
# 	splunk
# 	splunk.appserver
# 	splunk.search
#
[python]
splunk = INFO
splunk.appserver = INFO
splunk.appserver.controllers = INFO
# at DEBUG level the proxy controller will log the contents of all requests and responses
# this can be very verbose and is not recommended for production use
splunk.appserver.controllers.proxy = INFO
splunk.appserver.lib = WARN
splunk.pdfgen = INFO
splunk.archiver_restoration = INFO
splunk.rum = INFO