To speed up your searches using the Splunk ODBC Driver, use the same techniques that you use to speed up Splunk searches.
- Be specific in your searches. For example, put a keyword search into the first search command. Narrow the search as quickly as possible—ideally, before the first pipe.
- Use report acceleration to speed up transforming searches and reports that cover a large volume of data. See "Manage report acceleration".
- Use summary indexing to increase reporting efficiency. Summary indexing is useful when you have large datasets and/or long time ranges to search. Learn more about summary indexing (and how to set it up) by reading "Use summary indexing for increased reporting efficiency".
- If you're using data models that represent large data sets, use data model acceleration to complete pivots more quickly. Whereas summary indexing speeds up individual searches on a per-report basis, data model acceleration speeds up reporting for a specific set of attributes that you've defined in a data model. For more information and to determine whether data model acceleration is for you, see "Accelerate data models".
- When using data model acceleration, use the pivot and tstats search commands to speed up searches with the help of .tsidx files. .tsidx files are time-series index files, or summaries of the data returned by an accelerated data model. You can also use tscollect to create a .tsidx directory without using data model acceleration. You will need to manage, maintain, and refresh it manually.
Proxy servers prevent communication with Splunk Enterprise instances
You might not be able to contact Splunk Enterprise instances that are on networks that require proxy servers without some additional configuration. To enable this scenario, you'll need to add an environment variable to the computer that runs the Splunk ODBC Driver.
For more information about configuring the Splunk ODBC Driver on a network with proxy servers, see "Proxy Server Configuration".
Tables are not visible after connecting
You connect to your Splunk instance in Excel or Tableau, and you cannot see any tables, or the tables you see aren't the ones you expected. There are several possibilities for what's wrong:
Your connection attributes are incorrect.
Check your connection attributes by following the instructions in "Enter or change configuration information". Is the server URL correct? Is the port number correct? By default, the port for splunkd is 8089. splunkd is what the Splunk ODBC Driver is connecting to. You can also try the following:
- Click the Start button (or, in Windows 8, go to the Start screen), and type odbc. Click whichever of the following that appears: Data Sources (ODBC), 32-bit ODBC Data Source Administrator, or 64-bit ODBC Data Source Administrator.
- In the ODBC Data Source Administrator window, click the System DSN tab, and then click "Splunk ODBC" in the list of system data sources.
- Click the Configure button. The Splunk ODBC Connection Options window appears.
- Copy the URL listed next to Server URL.
- Open a browser window, paste the URL into the address bar, and press Enter.
Note: If at this point you see a window warning you about a problem with a security certificate, choose the option to continue.
A window that looks like the following appears.
- Click the link for "services".
- When prompted, enter the same credentials that you entered when you configured the Splunk ODBC Driver.
If, after you click OK, you see an expanded list of endpoints, then the credentials you entered are correct. If not, reenter the credentials by following the instructions in "Enter or change configuration information".
Your permissions are incorrect or insufficient.
If your permissions are incorrect or insufficient, you might prevent the Splunk ODBC Driver from seeing the saved searches you're expecting. The tables that you see in Excel and Tableau map to saved searches in Splunk. If you don't have permissions to see certain saved searches, they do not appear as tables either.
"Saved search not found" message
You will see the error message "Saved search not found: . " when you try to access a report (saved search in Splunk Enterprise 5) that has an underscore in its name through the Splunk ODBC Driver version 1.0.
This is a known issue in version 1.0 of the Splunk ODBC Driver that has been fixed in version 1.0.1. Download and install the latest version using the instructions in "Install the Splunk ODBC Driver".
"Login failed" error message
If you see the following error message when you try to connect your ODBC-capable application to Splunk, your login information is not correct.
Reenter your login information for your Splunk server. You must have the correct user name and password for the user account with which you want to access the Splunk server. In addition, change your Splunk password from the default "changeme" password or the Splunk ODBC Driver will not connect to your Splunk instance.
See "Enter or change configuration information" and check that you entered the login information correctly.
"Table not found" error message
If you see a "Table not found" error message when you try to connect your ODBC-capable application to Splunk Enterprise, you might have a licensing issue.
Ensure that your license is up to date:
- Log into Splunk Enterprise.
- In Settings, click Licensing under System.
Make sure that you have a valid Splunk Enterprise license installed, and that its status is "valid" (not "expired").
Driver doesn't appear in data sources
The Splunk ODBC Driver doesn't appear in the list of data sources.
When you choose the Splunk ODBC data source, you might not see "Splunk ODBC" in the list of data sources. You probably installed the 64-bit version of the Splunk ODBC Driver, but you're trying to use it with a 32-bit application, or vice-versa. Install the appropriate version of the Splunk ODBC Driver and try again.
Connection or host name resolution errors
I get connection errors or host name resolution errors.
If you see any of the following error messages when you try to connect your ODBC-capable application to Splunk, your computer is having trouble contacting the Splunk server.
If your computer is running the Splunk instance that you're trying to connect to, make sure it is started:
In Windows 7, click the Start button, point to All Programs, point to Splunk, and then click Splunk. In Windows 8, click Splunk on the Start screen. If you see a login screen, try to connect again. If you cannot, something else is wrong. See the "Splunk Troubleshooting Manual".
If you're connecting to a server running Splunk somewhere on your network, see if you can access it using your browser. If not, contact your network administrator.
If you can access your server, but you receive one or more of these error messages, check your configuration. See "Enter or change configuration information" and check that you entered the host name and port information correctly.
Tableau identified limitations... error message
When I set up an ODBC connection in Tableau, I get an error message titled "Tableau identified limitations for the ODBC data source."
If you get the following error message after you click OK in the Generic ODBC Connection setup window in Tableau, you need to copy the Splunk TDC file to your Tableau datasources folder.
See "Copy the Splunk.tdc file" for instructions.
Excel joins or joining tables error messages
When I use the driver with Microsoft Excel, I get an error message about joins or joining tables.
You see one of the following error messages when you try to add more than one table to your query in Microsoft Query, or when you try to add columns from more than one table in the Query Wizard.
You can include only one table in your query. Each table corresponds to a report (saved search in Splunk Enterprise 5) in Splunk. If your table doesn't include the columns you want, verify in Splunk that the corresponding report is returning the results you expect, and modify the query if necessary.
Tableau doesn't display new reports (saved searches)
Consider the following scenario: You connect to Splunk Enterprise using Tableau and work while connected live to an existing search. While connected to that Splunk instance separately (for example, using Splunk Web), you create a new report (saved search in Splunk Enterprise 5). Back in Tableau, the new report is not available as a table. Even if you disconnect and reconnect to the Splunk instance, the new report is still not visible.
This is expected behavior. To see the updated list of reports, exit and relaunch Tableau, and connect again.
Note: You need to relaunch Tableau only when you add or change reports (saved searches). Adding or changing fields doesn't have this requirement; simply perform a refresh within Tableau.
Tableau doesn't display new or changed fields
If you add new fields or change an existing field in Tableau while connected to Splunk, you might not see the new or changed fields right away. To see them, simply refresh the workbook.
Note: Unlike reports (saved searches in Splunk Enterprise 5), which require a relaunch of Tableau when added or changed, adding or changing fields require only a refresh within Tableau.
Null fields aren't handled in the same way as with other database systems
Null fields are not handled in the same way as you might be used to with other database systems. For example, they might inconsistently appear when you add or remove columns to your query.
This behavior is expected. To prevent this from happening, add functionality to your report (saved search in Splunk Enterprise 5) that gives null fields a constant literal value—for example, the string "Null". This ensures that null fields appear consistently.
"Invalid username/password" error message
When you connect to Splunk Enterprise 6.x using Tableau 8.1.8 or later and the Splunk ODBC Driver 1.0 or later, you may receive an "invalid username/password" error. This error may appear even when you have entered a valid username and password combination. Splunk and Tableau are both aware of this issue, and are working to resolve it as soon as possible.
The "invalid username/password" error occurs when connecting to a Splunk Enterprise instance whose main index contains no data. Its other indexes may have data, but if the main index is empty, you will see this error.
To work around this error, ensure that the main index of Splunk Enterprise instance to which you're connecting contains at least some data.
Frequently Asked Questions (FAQs)
This documentation applies to the following versions of Splunk® ODBC Driver: 1.0, 1.0.1