Splunk® Enterprise

Troubleshooting Manual

Download manual as PDF

How to file a great Support case

When you're contacting Support, you can save time by starting out with everything we'll need!

Here are some ideas to get you started.

Describe the issue

Where does the issue occur? On a forwarder? On an indexer?

What elements are present for the issue? What's the timeline leading to the error? What processes are running when the error appears?

What behavior do you observe, compared to what you expect? Be specific - for example, how late is "late"?

Try to classify the problem:

  • Is it a searching issue? These include Splunk Web, management, roles, apps, views and dashboards, search language.
  • Is it a back end issue? These problems could include crashing, OS issues, REST API, or SDK.
  • Is it a configuration issue? These include extractions, input configurations, forwarding, apps disabling, or authentication.
  • Is it a performance problem?

Send diagnosis files

Most support cases are opened in response to functional problems: Splunk has been configured to do something, but it is behaving in an unexpected way.

Splunk Support needs both the context of the problem and insight into the instance that is not performing as expected. That insight comes in the form of a "diag," which is essentially a snapshot of the configuration of the host server, the Splunk instance, and the recent logs of that instance.

Whether your problem is with a forwarder, an indexer, a search head, or a deployment server, send us your diag. If you have a forwarder and a receiver that aren't working together correctly, send us diags of both. (If you have many forwarders, just send one representative forwarder diag.)

The diag tarball or .zip does not contain any of your indexed data, but if you have concerns, please go ahead and examine the contents. Read about making a diag in this manual.

Splunk Support might request another diag after recommending a change or update to the instance. This diag can ensure that the change has been applied and verify the impact, if any, to the instance. It is not unusual to have multiple updated diags for a single case.

Splunk Support understands that it is not always straightforward to collect a diag from certain machines, due to a variety of restrictions. If this is the case with your environment, detail that in your case and we will adjust our approach and requests accordingly. Review "Generate a diag" in this manual for options available when generating a diag.

Contact Support
Generate a diag

This documentation applies to the following versions of Splunk: 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.3.0, 6.3.1, 6.3.1511, 6.3.2, 6.3.3 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters