How to file a great Support case
When you're contacting Support, you can save time by starting out with everything we'll need!
Here are some ideas to get you started.
Describe the issue
Where does the issue occur? On a forwarder? On an indexer?
What elements are present for the issue? What's the timeline leading to the error? What processes are running when the error appears?
What behavior do you observe, compared to what you expect? Be specific - for example, how late is "late"?
Try to classify the problem:
- Is it a searching issue? These include Splunk Web, management, roles, apps, views and dashboards, search language.
- Is it a back end issue? These problems could include crashing, OS issues, REST API, or SDK.
- Is it a configuration issue? These include extractions, input configurations, forwarding, apps disabling, or authentication.
- Is it a performance problem?
Send diagnosis files
Most support cases are opened in response to functional problems: Splunk has been configured to do something, but it is behaving in an unexpected way.
Splunk Support needs both the context of the problem and insight into the instance that is not performing as expected. That insight comes in the form of a "diag," which is essentially a snapshot of the configuration of the host server, the Splunk instance, and the recent logs of that instance.
Whether your problem is with a forwarder, an indexer, a search head, or a deployment server, send us your diag. If you have a forwarder and a receiver that aren't working together correctly, send us diags of both. (If you have many forwarders, just send one representative forwarder diag.)
The diag tarball or .zip does not contain any of your indexed data, but if you do have concerns then please go ahead and extract yourself to examine the contents. Read about making a diag in this manual.
Please note that Splunk Support might request another diag after recommending a change or update to the instance. This diag can ensure that the change has been applied and verify the impact, if any, to the instance. It is not unusual to have multiple updated diags for a single case.
Splunk Support understands that it is not always straightforward to collect a diag from certain machines, due to a variety of restrictions. If this is the case with your environment, detail that in your case and we will adjust our approach and requests accordingly.
Anonymize data samples to send to Support
This documentation applies to the following versions of Splunk® Enterprise: 6.0