Splunk® Light

Installation Manual

Download manual as PDF

Download topic as PDF

Generate a diagnostic file

To help diagnose a problem, Splunk Support might request a diagnostic file from you. Diag files give Support insight into how an instance is configured and how it has been operating up to the point that the diag command was issued.

About diag

Diag generation, whether in Splunk Web or at the command line, collects basic information about your Splunk Light instance, including configuration details. It gathers information, such as server specs, OS version, file system, and current open connections, from the machine running Splunk Light. From the Splunk Light instance, it collects the contents of $SPLUNK_HOME such as app configurations, internal log files, and index metadata.

Diags do not contain any of your indexed data. You can examine the diag file to ensure that no proprietary data is included. In some environments, custom app objects, like lookup tables, can contain sensitive data. Read on for more details about controlling the files contained in a diag.

Before you send any files or information to Splunk Support, verify that you are comfortable sending it to us. Splunk software tries to exclude sensitive information from diags but we cannot guarantee compliance with your particular security policy.

Generate diags using Splunk Web

As a Splunk Light admin, you can generate diags using Splunk Web on Splunk Light 7.1.0 and later.

You can create a new diag, recreate a diag using settings you chose in the past, and manage previously created diag bundles. After you have diags on your local machine, you can upload them to an existing Support case.

Follow these steps to access the Splunk Web diag generation page.

  1. Log into Splunk Web as an Admin.
  2. On the administration menu, click System > Instrumentation.

Diags are stored in $SPLUNK_HOME/var/run/diags.

Upload a file to Splunk Support

If you have a support case open, you can automatically send a diag file to the open case once the diag file is generated Alternatively, you can upload a file that already exists, such as a previously generated diag or other debugging data.

To generate and upload a diag, the CLI syntax is:

splunk diag --upload

To upload a file you already have, the CLI syntax is:

splunk diag --upload-file=a-filename.zip
  • This command interactively prompts for values such as a splunk.com user name and password, choice of open cases for that user, and a description of the upload.

If you know the open case number or other values, you can set those flags in the diag command directly:

  Upload:
    Flags to control uploading files  Ex: splunk diag --upload
[...]
    --case-number=case-number
                        Case number to attach to, e.g. 200500
    --upload-user=UPLOAD_USER
                        splunk.com username to use for uploading
    --upload-description=UPLOAD_DESCRIPTION
                        description of file upload for Splunk support
    --firstchunk=chunk-number
                        For resuming upload of a multi-part upload; select the
                        first chunk to send
  • User names on splunk.com do not include @domain.com.
  • The --firstchunk flag matters only if uploading a huge file fails after partial success. In this case, the diag output explicitly tells you the command to use to retry.
  • You are always prompted for the splunk.com password on the command line when using the --upload commands.

Example:

splunk diag --upload --case-number=$number --upload-user=$user_name --upload-description="$brief_description"

Additional resources

For much more information on generating a diagnostic file, see Generate a diagnostic file in the Splunk Enterprise Troubleshooting Manual.


Watch a video on using the diag and anonymize CLI commands by a Splunk Support engineer:


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about diags.

Last modified on 14 January, 2020
PREVIOUS
Share data in Splunk Light
  NEXT
About Splunk Light licensing

This documentation applies to the following versions of Splunk® Light: 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters