Splunk® Answers and Splunkbase

Splunk Answers User Manual

Download manual as PDF

Download topic as PDF

Ask and answer questions

You can begin your Splunk Answers community participation by asking or answering a question.

How to ask a question

If you've got a specific question about using, deploying, or troubleshooting a problem with Splunk, you can first search Documentation, then search Splunk Answers to see if a similar question to yours has already been posted.

If no one else has asked your question, navigate to https://answers.splunk.com/answers and click Ask a question, next to the search bar.

The title of your question should be as clear as possible. What exactly are you asking? Do you want help with a field extraction? If so, a title like "Need help writing a field extraction that does <xyz>". Are you seeing an error in your Splunk logs and want help figuring out what it means? "Seeing the following error <error snippet>, what does it mean?" is a clear question title.

In the text of your question, provide as much detailed info about your situation and environment as you can, taking care not to share any confidential data. Useful information includes:

  • The Splunk products and versions you're using
  • Whether or not you're using forwarders, and which type(s)
  • Error messages you're seeing, and in which logs
  • Examples of the data you're indexing or searching (if relevant to your problem)
  • Configurations, regexes, etc.
  • Prior research you have done and your desired result
  • Exact Splunk Enterprise terminology

The text editor tools are your friend. Use the Code Sample button to wrap any sample code, data, search strings, or conf file stanzas in a code box to render special characters properly. If you are including snippets of code within a sentence, enclose it with back-ticks (`).

Resolving your post

After you receive an answer with a working solution to your question, please resolve your post by clicking "Accept" directly below the answer that solved your problem. This will make it easier for other users with the same issue to find the solution when searching for answers.

How to answer a question

If you have a full, complete answer for a question, use the Enter your answer here… text field at the bottom of a question page to fill out and submit your response.

If you still need to gather more information from the poster of the question before proposing a thorough solution, click Add comment directly below the question to communicate what you need them to provide.

Be thorough and explain why your solution answers the question. Educate the community on how to troubleshoot and solve the problem rather than simply copying and pasting an answer.

Provide links

Make it easy for the reader to find what is needed and point them in the right direction from the start.

If your answer touches on a topic covered in the Splunk documentation , you should add a reference link so users can explore more information on the subject. If there are external resources such as regex helper tools or Wikipedia, provide links to the tools/site if the information on those links support your answer.

Tips for getting your questions answered

If you can't find what you're looking for, then follow these best practices for asking a question. These recommendations are based on observations of the interactions between askers and answerers, as well as research conducted on common factors found in questions that do not receive any answers.

Search first

Before asking a question, you should search the Splunk documentation. The documentation is a great first resource for answers to your questions. If you don't find what you are looking for, then search Splunk Answers to see if someone else has asked the same or similar question.

If you feel like you are not getting the best relevant results from the built-in search on Answers, use Google to search. Run the search with "answers.splunk.com" and with all of keywords for what you are searching for.

Make sure you use Splunk terms in your searches for better results!

Posting questions

Ask only one question for each Splunk Answers post. Keeping your questions streamlined improves the likelihood of getting an answer quickly.

Post questions when the traffic on the site is at it's highest. Typically, this is during business hours, Monday through Friday, US Pacific Time.

Titles used for questions are key

The title that you use for your questions are important because it is the first and only thing that users see in a list of questions.

The question title should clearly state what you are asking for help with. This helps subject matter experts filter and find which questions are worth volunteering their valuable time to answer.

The following list contains examples of good question titles:

  • How to set the x-axis limits of a line chart?
  • Why is our universal forwarder not forwarding all logs on DHCP servers?
  • How to add a column of averages to a timechart?

Be brief but specific in your question titles.

Details, details, details

To increase the chances of getting your questions answered, provide as much detail about your environment and the issue you are having. This saves time and helps eliminate a lot of back and forth clarification comments for the people trying to help you.

Some of the information you should provide includes:

  • What Splunk products and versions are you using?
  • Use exact Splunk product names and terminology because it make the content searchable for everyone. If you are not sure about the exact names and terms to use, see the Splexicon.
  • What type of Splunk deployment that you are using. Standalone, distributed search, indexer clustering, search head clustering, and so forth.
  • Are you using forwarders? Which type? Which version?
  • Include any relevant configuration file names, stanzas, and settings.
  • What error messages are you seeing? In which logs? On what Splunk instances?
  • What searches or regular expressions did you use?
  • Show what prior research you have done into the issue, so other users don't repeat the steps you have already taken to troubleshoot your issue. Be respectful of the time that other people have volunteered to take to help you. It is not the volunteer's job to do your homework for you.

The more information that you provide, the more likely your question will be answered quickly.

Sample data and expected results

If applicable, provide anonymized sample data. Having sample data to work with is helpful for troubleshooting, parsing, field extractions, search syntax, and so forth.

One of the most important things to use is the Code Sample button when you are sharing any sample data, code, searches, regular expressions, and so forth. This will ensure that special characters render properly.

If possible, show an example of what you expect the outcome or results to be. Knowing what you expect helps other users propose options for producing that outcome or results.

Tagging your questions

Tagging your questions can increase the chances that the people most knowledgeable about your issue see your question. Splunkers and Splunk users can follow specific tags to receive notifications when a question is posted with those tags.

  • You can select which Splunk product your issue is related to and this is added to the list of tags for your question.
  • Make sure to add tags for key Splunk terminology. Splunk terminology is documented in the Splexicon.
  • If you are using apps or add-ons, it is important to tag questions with the correct names for the apps and add-ons from Splunkbase.
Contact us
Use tags to search and categorize

This documentation applies to the following versions of Splunk® Answers and Splunkbase: splunkbase


Patrick, I'll contact you directly regarding your question. Thanks,

Andrewb splunk, Splunker
September 18, 2019

Good morning,

Please refer to https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Dataintegritycontrol.

While we know per the article that the Data integrity control service is available in Splunk Enterprise, is there (1) an equivalent cloud version of the same service and (2) is it enabled for Talbots.

Please reply with details and how to configure if needed.

Patrick Kelly, CISSP, CRISC
Information Security Business Analyst - Talbots

September 9, 2019

Hi Mahesh,

Thank you for the feedback. To answer your questions:

1) You can see REST API examples, and endpoint description information here: https://docs.splunk.com/Documentation/Splunk/7.3.0/RESTREF/RESTsearch

2) You do not need the admin role, but you do to use authorized to use APIs (by an admin role, typically).

3) If using the Splunk SDK for Python, refer to examples here: https://docs.splunk.com/DocumentationStatic/PythonSDK/1.6.5/#searchcommands

And more available examples with the SDK code: https://github.com/splunk/splunk-sdk-python/tree/master/examples such as saved_search, etc.

Patrick King
Splunk Developer Platform Documentation

Pking splunk, Splunker
June 24, 2019

Hi Team,
I would like to call the splunk REST API using python and perform a search operation. I'm in need of following information.
1) API End point URL ( I want the splunk web URL of my project, I can NOT use localhost, as I don't have any splunk running in my local system. For Ex: I'm accessing splunk using the URL "https://XXXXX.XXXXhc.dc01.us.adp/en-US/app/launcher/home”
2) I don't have admin access, can I still access it through REST API
3) Any Python sample code to call REST API using python to perform basic search


June 14, 2019

Do I need to pay for the Splunk Fundamentals II course to attend the certification exam?

October 24, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters