Ask and answer questions
You can begin your Splunk Answers community participation by asking or answering a question.
How to ask a question
If you've got a specific question about using, deploying, or troubleshooting a problem with Splunk, we recommend you first search Documentation, then search Splunk Answers to see if a similar question to yours has already been posted.
If no one else has asked your question, navigate to http://answers.splunk.com/answers and click Ask a question, next to the search bar.
The title of your question should be as clear as possible. What exactly are you asking? Do you want help with a field extraction? If so, a title like "Need help writing a field extraction that does <xyz>". Are you seeing an error in your Splunk logs and want help figuring out what it means? "Seeing the following error <error snippet>, what does it mean?" is a clear question title.
In the text of your question, provide as much detailed info about your situation and environment as you can, taking care not to share any confidential data. Useful information includes:
- The Splunk products and versions you're using
- Whether or not you're using forwarders, and which type(s)
- Error messages you're seeing, and in which logs
- Examples of the data you're indexing or searching (if relevant to your problem)
- Configurations, regexes, etc.
- Prior research you have done and your desired result
- Exact Splunk Enterprise terminology
The text editor tools are your friend. Use the Code Sample button to wrap any sample code, data, search strings, or conf file stanzas in a code box to render special characters properly. If you are including snippets of code within a sentence, enclose it with back-ticks (`).
Resolving your post
After you receive an answer with a working solution to your question, please resolve your post by clicking "Accept” directly below the answer that solved your problem. This will make it easier for other users with the same issue to find the solution when searching for answers.
How to answer a question
If you have a full, complete answer for a question, use the Enter your answer here… text field at the bottom of a question page to fill out and submit your response.
If you still need to gather more information from the poster of the question before proposing a thorough solution, click Add comment directly below the question to communicate what you need them to provide.
Be thorough and explain why your solution answers the question. Educate the community on how to troubleshoot and solve the problem rather than simply copying and pasting an answer.
Make it easy for the reader to find what is needed and point them in the right direction from the start.
If your answer touches on a topic covered in the Splunk documentation , you should add a reference link so users can explore more information on the subject. If there are external resources such as regex helper tools or Wikipedia, provide links to the tools/site if the information on those links support your answer.
Tips for getting your questions answered
If you can’t find what you’re looking for, then follow these best practices for asking a question. These recommendations are based on observations of the interactions between askers and answerers, as well as research conducted on common factors found in questions that do not receive any answers.
Before asking a question, you should search the Splunk documentation. The documentation is a great first resource for answers to your questions. If you don't find what you are looking for, then search Splunk Answers to see if someone else has asked the same or similar question.
If you feel like you are not getting the best relevant results from the built-in search on Answers, use Google to search. Run the search with “answers.splunk.com” and with all of keywords for what you are searching for.
Make sure you use Splunk terms in your searches for better results!
Ask only one question for each Splunk Answers post. Keeping your questions streamlined improves the likelihood of getting an answer quickly.
Post questions when the traffic on the site is at it's highest. Typically, this is during business hours, Monday through Friday, US Pacific Time.
Titles used for questions are key
The title that you use for your questions are important because it is the first and only thing that users see in a list of questions.
The question title should clearly state what you are asking for help with. This helps subject matter experts filter and find which questions are worth volunteering their valuable time to answer.
The following list contains examples of good question titles:
- How to set the x-axis limits of a line chart?
- Why is our universal forwarder not forwarding all logs on DHCP servers?
- How to add a column of averages to a timechart?
Be brief but specific in your question titles.
Details, details, details
To increase the chances of getting your questions answered, provide as much detail about your environment and the issue you are having. This saves time and helps eliminate a lot of back and forth clarification comments for the people trying to help you.
Some of the information you should provide includes:
- What Splunk products and versions are you using?
- Use exact Splunk product names and terminology because it make the content searchable for everyone. If you are not sure about the exact names and terms to use, see the Splexicon.
- What type of Splunk deployment that you are using. Standalone, distributed search, indexer clustering, search head clustering, and so forth.
- Are you using forwarders? Which type? Which version?
- Include any relevant configuration file names, stanzas, and settings.
- What error messages are you seeing? In which logs? On what Splunk instances?
- What searches or regular expressions did you use?
- Show what prior research you have done into the issue, so other users don’t repeat the steps you have already taken to troubleshoot your issue. Be respectful of the time that other people have volunteered to take to help you. It is not the volunteer's job to do your homework for you.
The more information that you provide, the more likely your question will be answered quickly.
Sample data and expected results
If applicable, provide anonymized sample data. Having sample data to work with is helpful for troubleshooting, parsing, field extractions, search syntax, and so forth.
One of the most important things to use is the Code Sample button when you are sharing any sample data, code, searches, regular expressions, and so forth. This will ensure that special characters render properly.
If possible, show an example of what you expect the outcome or results to be. Knowing what you expect helps other users propose options for producing that outcome or results.
Tagging your questions
Tagging your questions can increase the chances that the people most knowledgeable about your issue see your question. Splunkers and Splunk users can follow specific tags to receive notifications when a question is posted with those tags.
- You can select which Splunk product your issue is related to and this is added to the list of tags for your question.
- Make sure to add tags for key Splunk terminology. Splunk terminology is documented in the Splexicon.
- If you are using apps or add-ons, it is important to tag questions with the correct names for the apps and add-ons from Splunkbase.
Use tags to search and categorize
This documentation applies to the following versions of Splunk® Answers and Splunkbase: splunkbase