The diag tarball does not contain any of your indexed data, but you can examine its contents before sending it. If you have many forwarders, send only one representative forwarder diag. Label the diags so it's clear which instance each is from. If you have a forwarder and a receiver that are not working together correctly, send us diags of both. You can make a diag on any instance type: forwarder, indexer, search head, or deployment server. That insight comes in the form of a "diag" or diagnostic file, which is essentially a snapshot of the configuration of the Splunk platform instance and the recent logs from that instance. Splunk Support needs both the context of the problem and insight into the instance that is not performing as expected. Most Support cases are for functional problems: the software has been configured to do something, but it is behaving in an unexpected way. Is it a configuration issue? These include extractions, input configurations, forwarding, apps disabling, or authentication.Is it a back end issue? These problems could include crashing, OS issues, REST API, or SDK.Is it a searching issue? These include Splunk Web, management, roles, apps, views and dashboards, search language.What behavior do you observe, compared to what you expect? Be specific: for example, how late is "late"? What elements are present for the issue? What's the timeline leading to the error? What processes are running when the error appears? Where does the issue occur? On a forwarder? On an indexer? When you contact Support, you can save time by starting out with everything we'll need!
0 Comments
Leave a Reply. |