Troubleshooting

Keywords unable to be used as field names

Some SQL keywords or portions of keywords are reserved. You cannot use them as field names. They include the following:

• avg
• hour
• key
• max
• min
• second

Errors with reports with spaces in its name

Do not use a report (saved search in Splunk Enterprise) with a space or underscore in its name with the Splunk ODBC Driver. It might result in an error. Use the Splunk Enterprise rename function to replace any spaces in report names with underscores.

How do I ensure secure communication between the Splunk ODBC Driver and my Splunk Enterprise instance over a firewall?

The Splunk ODBC Driver checks your Splunk Enterprise server's certificate. To enforce this option:

1. Follow the instructions in the "Configuration" section.
2. In the Splunk ODBC Connection Options window, select the Verify Server SSL Certificate checkbox.

Splunk ODBC Driver 2.1.0 and later supports TLS 1.2. It does not support SSL. For more information, see TLS Certificate Configuration.

Speed issues

To speed up your searches using the Splunk ODBC Driver, use the same techniques that you use to speed up Splunk searches.

1. Be specific in your searches. For example, put a keyword search into the first search command. Narrow the search as quickly as possible—ideally, before the first pipe.
2. Use report acceleration to speed up transforming searches and reports that cover a large volume of data. See "Manage report acceleration".
3. Use summary indexing to increase reporting efficiency. Summary indexing is useful when you have large datasets and/or long time ranges to search. Learn more about summary indexing (and how to set it up) by reading "Use summary indexing for increased reporting efficiency".
4. If you're using data models that represent large data sets, use data model acceleration to complete pivots more quickly. Whereas summary indexing speeds up individual searches on a per-report basis, data model acceleration speeds up reporting for a specific set of attributes that you've defined in a data model. For more information and to determine whether data model acceleration is for you, see "Accelerate data models".
5. When using data model acceleration, use the pivot and tstats search commands to speed up searches with the help of .tsidx files. .tsidx files are time-series index files, or summaries of the data returned by an accelerated data model. You can also use tscollect to create a .tsidx directory without using data model acceleration. You will need to manage, maintain, and refresh it manually.

Search the Splunk Docs and Splunk Answers sites to find out what the Splunk documentation and other Splunk users recommend.

Proxy servers prevent communication with Splunk Enterprise instances

You might not be able to contact Splunk Enterprise instances that are on networks that require proxy servers without some additional configuration. To enable this scenario, you'll need to add an environment variable to the computer that runs the Splunk ODBC Driver.

For more information about configuring the Splunk ODBC Driver on a network with proxy servers, see "Proxy Server Configuration".

Tables are not visible after connecting

You connect to your Splunk instance in Excel or Tableau, and you cannot see any tables, or the tables you see aren't the ones you expected. There are several possibilities for what's wrong:

Your connection attributes are incorrect.

Check your connection attributes by following the instructions in "Enter or change configuration information". Is the server URL correct? Is the port number correct? By default, the port for splunkd is 8089. splunkd is what the Splunk ODBC Driver is connecting to. You can also try the following:

1. Click the Start button (or, in Windows 8, go to the Start screen), and type odbc. Click whichever of the following that appears: Data Sources (ODBC), 32-bit ODBC Data Source Administrator, or 64-bit ODBC Data Source Administrator.
2. In the ODBC Data Source Administrator window, click the System DSN tab, and then click "Splunk ODBC" in the list of system data sources.
3. Click the Configure button. The Splunk ODBC Connection Options window appears.
4. Copy the URL listed next to Server URL.
5. Open a browser window, paste the URL into the address bar, and press Enter.

   Note: If at this point you see a window warning you about a problem with a security certificate, choose the option to continue.

   A window that looks like the following appears.

   
6. Click the link for "services".
7. When prompted, enter the same credentials that you entered when you configured the Splunk ODBC Driver.

If, after you click OK, you see an expanded list of endpoints, then the credentials you entered are correct. If not, reenter the credentials by following the instructions in "Enter or change configuration information".

Your permissions are incorrect or insufficient.

If your permissions are incorrect or insufficient, you might prevent the Splunk ODBC Driver from seeing the saved searches you're expecting. The tables that you see in Excel and Tableau map to saved searches in Splunk. If you don't have permissions to see certain saved searches, they do not appear as tables either.

"Table not found" error message

If you see a "Table not found" error message when you try to connect your ODBC-capable application to Splunk Enterprise, you might have a licensing issue.

Ensure that your license is up to date:

1. Log into Splunk Enterprise.
2. In Settings, click Licensing under System.

Make sure that you have a valid Splunk Enterprise license installed, and that its status is "valid" (not "expired").

Driver doesn't appear in data sources

The Splunk ODBC Driver doesn't appear in the list of data sources.

When you choose the Splunk ODBC data source, you might not see "Splunk ODBC" in the list of data sources. You probably installed the 64-bit version of the Splunk ODBC Driver, but you're trying to use it with a 32-bit application, or vice-versa. Install the appropriate version of the Splunk ODBC Driver and try again.

Connection or host name resolution errors

Connection errors or host name resolution errors

If you see any of the following error messages when you try to connect your ODBC-capable application to Splunk, your computer is having trouble contacting the Splunk server.

If your computer is running the Splunk instance that you're trying to connect to, make sure it is started:

In Windows 10, click Splunk on the Start screen. If you see a login screen, try to connect again. If you cannot, something else is wrong. See the "Splunk Troubleshooting Manual".

If you're connecting to a server running Splunk somewhere on your network, see if you can access it using your browser. If not, contact your network administrator.

If you can access your server, but you receive one or more of these error messages, check your configuration. See "Enter or change configuration information" and check that you entered the host name and port information correctly.

"Unable to connect" error

If you see one of the following error messages when you try to connect your ODBC-capable application to Splunk

or

Verify that your connect URL has the correct protocols. For example, https instead of http, and management port number (default is 8089. If not default, use the configured port number).

For PowerBI and Excel users, restart your PowerBI or Excel instance, and clear the connection string cache, as there may be cached connection string and user/permission issues. See the PowerBI community page for more information.

Excel joins or joining tables error messages

When I use the driver with Microsoft Excel, I get an error message about joins or joining tables.

You see one of the following error messages when you try to add more than one table to your query in Microsoft Query, or when you try to add columns from more than one table in the Query Wizard.

You can include only one table in your query. Each table corresponds to a report (saved search in Splunk Enterprise) in Splunk. If your table doesn't include the columns you want, verify in Splunk that the corresponding report is returning the results you expect, and modify the query if necessary.

Tableau doesn't display new reports (saved searches)

Consider the following scenario: You connect to Splunk Enterprise using Tableau and work while connected live to an existing search. While connected to that Splunk instance separately (for example, using Splunk Web), you create a new report (saved search in Splunk Enterprise 5). Back in Tableau, the new report is not available as a table. Even if you disconnect and reconnect to the Splunk instance, the new report is still not visible.

This is expected behavior. To see the updated list of reports, exit and relaunch Tableau, and connect again.

Note: You need to relaunch Tableau only when you add or change reports (saved searches). Adding or changing fields doesn't have this requirement; simply perform a refresh within Tableau.

Tableau doesn't display new or changed fields

If you add new fields or change an existing field in Tableau while connected to Splunk, you might not see the new or changed fields right away. To see them, simply refresh the workbook.

Note: Unlike reports (saved searches in Splunk Enterprise 5), which require a relaunch of Tableau when added or changed, adding or changing fields require only a refresh within Tableau.

Null fields aren't handled in the same way as with other database systems

Null fields are not handled in the same way as you might be used to with other database systems. For example, they might inconsistently appear when you add or remove columns to your query.

This behavior is expected. To prevent this from happening, add functionality to your report (saved search in Splunk Enterprise 5) that gives null fields a constant literal value—for example, the string "Null". This ensures that null fields appear consistently.

"Invalid username/password" error message

When you connect to Splunk Enterprise 6.x using Tableau 8.1.8 or later and the Splunk ODBC Driver 1.0 or later, you may receive an "invalid username/password" error. This error may appear even when you have entered a valid username and password combination. Splunk and Tableau are both aware of this issue, and are working to resolve it as soon as possible.

The "invalid username/password" error occurs when connecting to a Splunk Enterprise instance whose main index contains no data. Its other indexes may have data, but if the main index is empty, you will see this error.

To work around this error, ensure that the main index of Splunk Enterprise instance to which you're connecting contains at least some data.

ODBC module could not be found

When you connect to the Splunk platform, and you receive the following error:

The setup routine for the Splunk ODBC Driver ODBC Driver could not be loaded due to system error code 126: The specified module could not be found (C:\Program Files\Splunk ODBC Driver\lib\SplunkDSII.dll).

Make sure you have installed the dependency of Microsoft Visual C++ 2010 x64 or 32bit Redistributable

Cannot connect to Splunk Cloud

Verify that Splunk Cloud's REST service https://splunkcloudURL:8089 is configured and accessible to the Splunk ODBC driver client.