Collect and Analyze Logs
Analyzing logs is essential for identifying root causes and resolving issues quickly. When troubleshooting, check for the following indicators:
-
Review system and app-specific logs for error messages related to configuration, API connectivity, data ingestion, or access control. Check the logs for entries marked with
ERROR
,WARN
, orFATAL
. -
Input-specific issues such as “Failed to fetch inputs,”“Invalid credentials,” or “Timeout”.
-
Timestamp bookmarks where data ingestion pauses or stops.
The following log files are particularly useful during diagnostics:
-
Main Splunk Log
Contains general system errors, including indexing issues, ingestion failures, and Splunk service restarts.
$SPLUNK_HOME/var/log/splunk/splunkd.log
-
Cisco App-Specific Log
Tracks input creation, connectivity to Cisco APIs, and error responses from connectors.
$SPLUNK_HOME/var/log/splunk/CiscoSecurityCloud/CiscoSecurityCloud.log
-
Performance Metrics Log
Provides metrics on data throughput, CPU usage, memory, and indexing delays.
$SPLUNK_HOME/var/log/splunk/metrics.log