Open in app

Sign in

Write

Sign in

Home

Library

Stories

Stats

How to Generate a Diag in Splunk

2 min readMar 29, 2021

--

Written by: Tom Kopchak

When working with your Splunk environment or troubleshooting an issue, we (or Splunk Support if you aren’t a Hurricane Labs Managed Splunk Services customer) may need to collect some additional information from the system to assist with troubleshooting. This is called a Splunk diagnostic file, or diag for short.

This tutorial will walk you through the process of creating this file and sending it to us or Splunk Support for review.

Creating the Diag

Creating a diag is easy–you simply run the Splunk executable with the diag option. Splunk also has a number of options that can be used with this tool to exclude or include different components or files in the diag. These are covered in-depth in the Splunk documentation.

When requesting a diag, we will often exclude the etc/auth directory from the diag so that this information is not included in the package that is created. The command to do that will look like this:

splunk.exe diag --exclude */etc/auth/*

Below I’ve included a screencast demonstration of the process to create a diag.

Sending the file to Hurricane Labs

If you’re a Hurricane Labs Managed Splunk Services customer, you’ll share this file with us. The diag file can contain sensitive information about your configuration and should never be emailed or shared in an insecure way out of an abundance of caution. The best way to share the file with us is via the file transfer tool in our support portal.

Alternatively, your Hurricane Labs support engineer can provide you with a link to attach files securely to a support ticket in the event the administrator we’re working with doesn’t have access to the support portal.

Sending the file to Splunk Support

If you aren’t a Hurricane Labs Managed Splunk Services customer and you have an active support case with Splunk, you can upload a diag to Splunk via the diag tool. The appropriate flags are covered in Splunk docs.

Conclusion

You probably won’t need to create a diag often–but it’s almost inevitable that someone who works with a large number of Splunk systems will need to do this at some point in their Splunk journey. Hopefully, this guide will help when that time comes.

For more Splunk tutorials, check out Hurricane Labs’ Splunk Tutorials page, and follow us on Twitter!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Splunk
Splunk Tutorials
Splunk Administration
Big Data

--

--

Hurricane Labs
Hurricane Labs

Written by Hurricane Labs

15 Followers
120 Following

Just a bunch of infosec nerds with a knack for Splunk. Comic book and Nerf gun fanatics.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams