See the following sections for more information on troubleshooting your Splunk Open Database Connectivity (ODBC) driver deployment.
Keywords unable to be used as field names
Some SQL keywords or portions of keywords are reserved. You cannot use them as field names. Some of the keywords you can't use as field names include the following:
Errors in saved searched with spaces in its name
Do not use a saved search in Splunk Enterprise with a space or underscore in its name with the Splunk ODBC Driver. It might result in an error. Use the Splunk Enterprise
rename function to replace any spaces in saved search names with underscores.
How do I make sure the communication between the Splunk ODBC Driver and my Splunk Enterprise instance over a firewall is secure?
The Splunk ODBC Driver checks your Splunk Enterprise server's certificate. To enforce this option follow these steps:
- Follow the instructions in the Enter or change configuration information section.
- In the Splunk ODBC Connection Options window, click the Verify Server SSL Certificate checkbox.
The Splunk ODBC Driver 2.1.0 and higher supports TLS 1.2. It does not support SSL. For more information, see Configure the TLS certificate.
To speed up your searches using the Splunk ODBC Driver, use the same techniques that you use to accelerate Splunk searches.
- Be specific in your searches. For example, put a keyword search into the first search command. Narrow the search as quickly as possible, ideally, before the first pipe.
- Use report acceleration to speed up transforming searches and reports that cover a large volume of data. See Manage report acceleration in the Splunk Enterprise Knowledge Manager Manual.
- Use summary indexing to increase reporting efficiency. Summary indexing is useful when you have large datasets or long time ranges to search. Learn more about summary indexing and how to set it up in Use summary indexing for increased reporting efficiency in the Splunk Enterprise Knowledge Manager Manual.
- If you're using data models that represent large data sets, use data model acceleration to complete pivots more quickly. Whereas summary indexing speeds up individual searches on a per-report basis, data model acceleration speeds up reporting for a specific set of attributes that you've defined in a data model. For more information and to determine whether data model acceleration is for you, see "Accelerate data models".
- When using data model acceleration, use the pivot and tstats search commands to speed up searches with the help of .tsidx files. .tsidx files are time-series index files, or summaries of the data returned by an accelerated data model. You can also use tscollect to create a .tsidx directory without using data model acceleration. You need to manage, maintain, and refresh the directory manually.
Proxy servers prevent communication with Splunk Enterprise instances
You might not be able to contact Splunk Enterprise instances that are on networks that require proxy servers without some additional configuration. To enable this scenario, you'll need to add an environment variable to the computer that runs the Splunk ODBC Driver.
For more information about configuring the Splunk ODBC Driver on a network with proxy servers, see "Proxy Server Configuration".
Tables are not visible after connecting
You connect to your Splunk instance in Excel or Tableau, and you cannot see any tables, or the tables you see aren't the ones you expected. There are several possibilities for what's wrong:
Your connection attributes are incorrect.
Check your connection attributes by following the instructions in "Enter or change configuration information". Is the server URL correct? Is the port number correct? By default, the port for splunkd is 8089. splunkd is what the Splunk ODBC Driver is connecting to. You can also try the following:
- Click the Start button (or, in Windows 8, go to the Start screen), and type odbc. Click whichever of the following that appears: Data Sources (ODBC), 32-bit ODBC Data Source Administrator, or 64-bit ODBC Data Source Administrator.
- In the ODBC Data Source Administrator window, click the System DSN tab, and then click "Splunk ODBC" in the list of system data sources.
- Click the Configure button. The Splunk ODBC Connection Options window appears.
- Copy the URL listed next to Server URL.
- Open a browser window, paste the URL into the address bar, and press Enter.
Note: If at this point you see a window warning you about a problem with a security certificate, choose the option to continue.
A window that looks like the following appears.
- Click the link for "services".
- When prompted, enter the same credentials that you entered when you configured the Splunk ODBC Driver.
If, after you click OK, you see an expanded list of endpoints, then the credentials you entered are correct. If not, reenter the credentials by following the instructions in "Enter or change configuration information".
Your permissions are incorrect or insufficient.
If your permissions are incorrect or insufficient, you might prevent the Splunk ODBC Driver from seeing the saved searches you're expecting. The tables that you see in Excel and Tableau map to saved searches in Splunk. If you don't have permissions to see certain saved searches, they do not appear as tables either.
"Table not found" error message
If you see a "Table not found" error message when you try to connect your ODBC-capable application to Splunk Enterprise, you might have a licensing issue.
Ensure that your license is up to date:
- Log into Splunk Enterprise.
- In Settings, click Licensing under System.
Make sure that you have a valid Splunk Enterprise license installed, and that its status is "valid" (not "expired").
Driver doesn't appear in data sources
The Splunk ODBC Driver doesn't appear in the list of data sources.
When you choose the Splunk ODBC data source, you might not see "Splunk ODBC" in the list of data sources. You probably installed the 64-bit version of the Splunk ODBC Driver, but you're trying to use it with a 32-bit application, or vice-versa. Install the appropriate version of the Splunk ODBC Driver and try again.
Connection or host name resolution errors
Connection errors or host name resolution errors
If you see any of the following error messages when you try to connect your ODBC-capable application to Splunk, your computer is having trouble contacting the Splunk server.
If your computer is running the Splunk instance that you're trying to connect to, make sure it is started:
In Windows 10, click Splunk on the Start screen. If you see a login screen, try to connect again. If you cannot, something else is wrong. See the "Splunk Troubleshooting Manual".
If you're connecting to a server running Splunk somewhere on your network, see if you can access it using your browser. If not, contact your network administrator.
If you can access your server, but you receive one or more of these error messages, check your configuration. See "Enter or change configuration information" and check that you entered the host name and port information correctly.
"Unable to connect" error
If you see one of the following error messages when you try to connect your ODBC-capable application to Splunk
Verify that your connect URL has the correct protocols. For example, https instead of http, and management port number (default is 8089. If not default, use the configured port number).
For PowerBI and Excel users, restart your PowerBI or Excel instance, and clear the connection string cache, as there may be cached connection string and user/permission issues. See the PowerBI community page for more information.
Excel joins or joining tables error messages
When I use the driver with Microsoft Excel, I get an error message about joins or joining tables.
You see one of the following error messages when you try to add more than one table to your query in Microsoft Query, or when you try to add columns from more than one table in the Query Wizard.
You can include only one table in your query. Each table corresponds to a report (saved search in Splunk Enterprise) in Splunk. If your table doesn't include the columns you want, verify in Splunk that the corresponding report is returning the results you expect, and modify the query if necessary.
Tableau doesn't display new reports (saved searches)
Consider the following scenario: You connect to Splunk Enterprise using Tableau and work while connected live to an existing search. While connected to that Splunk instance separately (for example, using Splunk Web), you create a new report (saved search in Splunk Enterprise 5). Back in Tableau, the new report is not available as a table. Even if you disconnect and reconnect to the Splunk instance, the new report is still not visible.
This is expected behavior. To see the updated list of reports, exit and relaunch Tableau, and connect again.
Note: You need to relaunch Tableau only when you add or change reports (saved searches). Adding or changing fields doesn't have this requirement; simply perform a refresh within Tableau.
Tableau doesn't display new or changed fields
If you add new fields or change an existing field in Tableau while connected to Splunk, you might not see the new or changed fields right away. To see them, simply refresh the workbook.
Note: Unlike reports (saved searches in Splunk Enterprise 5), which require a relaunch of Tableau when added or changed, adding or changing fields require only a refresh within Tableau.
Null fields aren't handled in the same way as with other database systems
Null fields are not handled in the same way as you might be used to with other database systems. For example, they might inconsistently appear when you add or remove columns to your query.
This behavior is expected. To prevent this from happening, add functionality to your report (saved search in Splunk Enterprise 5) that gives null fields a constant literal value—for example, the string "Null". This ensures that null fields appear consistently.
"Invalid username/password" error message
When you connect to Splunk Enterprise 6.x using Tableau 8.1.8 or later and the Splunk ODBC Driver 1.0 or later, you may receive an "invalid username/password" error. This error may appear even when you have entered a valid username and password combination. Splunk and Tableau are both aware of this issue, and are working to resolve it as soon as possible.
The "invalid username/password" error occurs when connecting to a Splunk Enterprise instance whose main index contains no data. Its other indexes may have data, but if the main index is empty, you will see this error.
To work around this error, ensure that the main index of Splunk Enterprise instance to which you're connecting contains at least some data.
ODBC module could not be found
When you connect to the Splunk platform, and you receive the following error:
The setup routine for the Splunk ODBC Driver ODBC Driver could not be loaded due to system error code 126: The specified module could not be found (C:\Program Files\Splunk ODBC Driver\lib\SplunkDSII.dll).
Make sure you have installed the dependency of Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019, downloadable from Microsoft's website.
Cannot connect to Splunk Cloud
Verify that Splunk Cloud's REST service
https://splunkcloudURL:8089 is configured and accessible to the Splunk ODBC driver client.
Excel on macOS error: ODBC Driver manager is not installed
If Excel users on macOS experience the following error when deploying the Splunk ODBC Driver,
Microsoft Excel cannot complete this operation because the ODBC Driver Manager is not installed. To install the ODBC Driver Manager, run Setup and install the database driver for the type of database(s) you want to access.
Excel on macOS requires installation of an ODBC Driver Manager. Download and install an ODBC manager.
Access data models using the Splunk ODBC Driver on macOS
This documentation applies to the following versions of Splunk® ODBC Driver: 3.1.0