Generate a diagnostic file
To help diagnose a problem, Splunk Support might request a diagnostic file from you. Diag files give Support insight into how an instance is configured and how it has been operating up to the point that the diag command was issued.
Diag generation, whether in Splunk Web or at the command line, collects basic information about your instance, including configuration details. It gathers information, such as server specs, OS version, file system, and current open connections, from the machine running . From the instance, it collects the contents of
$SPLUNK_HOME such as app configurations, internal log files, and index metadata.
Diags do not contain any of your indexed data. You can examine the diag file to ensure that no proprietary data is included. In some environments, custom app objects, like lookup tables, can contain sensitive data. Read on for more details about controlling the files contained in a diag.
Before you send any files or information to Splunk Support, verify that you are comfortable sending it to us. Splunk software tries to exclude sensitive information from diags but we cannot guarantee compliance with your particular security policy.
Generate diags using Splunk Web
As a admin, you can generate diags using Splunk Web on 7.1.0 and later.
You can create a new diag, recreate a diag using settings you chose in the past, and manage previously created diag bundles. After you have diags on your local machine, you can upload them to an existing Support case.
Follow these steps to access the Splunk Web diag generation page.
- Log into Splunk Web as an Admin.
- On the administration menu, click System > Instrumentation.
Diags are stored in
Upload a file to Splunk Support
If you have a support case open, you can automatically send a diag file to the open case once the diag file is generated Alternatively, you can upload a file that already exists, such as a previously generated diag or other debugging data.
To generate and upload a diag, the CLI syntax is:
splunk diag --upload
To upload a file you already have, the CLI syntax is:
splunk diag --upload-file=a-filename.zip
- This command interactively prompts for values such as a splunk.com user name and password, choice of open cases for that user, and a description of the upload.
If you know the open case number or other values, you can set those flags in the diag command directly:
Upload: Flags to control uploading files Ex: splunk diag --upload [...] --case-number=case-number Case number to attach to, e.g. 200500 --upload-user=UPLOAD_USER splunk.com username to use for uploading --upload-description=UPLOAD_DESCRIPTION description of file upload for Splunk support --firstchunk=chunk-number For resuming upload of a multi-part upload; select the first chunk to send
- User names on splunk.com do not include @domain.com.
- The --firstchunk flag matters only if uploading a huge file fails after partial success. In this case, the diag output explicitly tells you the command to use to retry.
- You are always prompted for the splunk.com password on the command line when using the
splunk diag --upload --case-number=$number --upload-user=$user_name --upload-description="$brief_description"
For much more information on generating a diagnostic file, see Generate a diagnostic file in the Splunk Enterprise Troubleshooting Manual.
Watch a video on using the diag and anonymize CLI commands by a Splunk Support engineer:
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about diags.
Share data in Splunk Light
About Splunk Light licensing
This documentation applies to the following versions of Splunk® Light (Legacy): 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6