Splunk® Enterprise

Troubleshooting Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How to file a great Support case

When you're contacting Support, you can save time by starting out with everything we'll need!

Here are some ideas to get you started.

Describe the issue

Where does the issue occur? On a forwarder? On an indexer?

What elements are present for the issue? What's the timeline leading to the error? What processes are running when the error appears?

What behavior do you observe, compared to what you expect? Be specific - for example, how late is "late"?

Try to classify the problem:

  • Is it a searching issue? These include Splunk Web, management, roles, apps, views and dashboards, search language.
  • Is it a back end issue? These problems could include crashing, OS issues, REST API, or SDK.
  • Is it a configuration issue? These include extractions, input configurations, forwarding, apps disabling, or authentication.
  • Is it a performance problem?

Send diagnosis files

Most support cases are opened in response to functional problems: Splunk has been configured to do something, but it is behaving in an unexpected way.

Splunk Support needs both the context of the problem and insight into the instance that is not performing as expected. That insight comes in the form of a "diag," which is essentially a snapshot of the configuration of the host server, the Splunk instance, and the recent logs of that instance.

Whether your problem is with a forwarder, an indexer, a search head, or a deployment server, send us your diag. If you have a forwarder and a receiver that aren't working together correctly, send us diags of both. (If you have many forwarders, just send one representative forwarder diag.)

The diag tarball or .zip does not contain any of your indexed data, but if you do have concerns then please go ahead and extract yourself to examine the contents. Read about making a diag in this manual.

Please note that Splunk Support might request another diag after recommending a change or update to the instance. This diag can ensure that the change has been applied and verify the impact, if any, to the instance. It is not unusual to have multiple updated diags for a single case.

Splunk Support understands that it is not always straightforward to collect a diag from certain machines, due to a variety of restrictions. If this is the case with your environment, detail that in your case and we will adjust our approach and requests accordingly.

Contact Support
Anonymize data samples to send to Support

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 6.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters