How to Generate a Diag in Splunk - Security Boulevard

SBN How to Generate a Diag in Splunk

When working with your Splunk environment or troubleshooting an issue, we (or Splunk Support if you aren’t a Hurricane Labs Managed Splunk Services customer) may need to collect some additional information from the system to assist with troubleshooting. This is called a Splunk diagnostic file, or diag for short. 

This tutorial will walk you through the process of creating this file and sending it to us or Splunk Support for review.

DevOps Experience

Creating the Diag

Creating a diag is easy–you simply run the Splunk executable with the diag option. Splunk also has a number of options that can be used with this tool to exclude or include different components or files in the diag. These are covered in-depth in the Splunk documentation.

When requesting a diag, we will often exclude the etc/auth directory from the diag so that this information is not included in the package that is created. The command to do that will look like this: 

splunk.exe diag --exclude */etc/auth/*

Below I’ve included a screencast demonstration of the process to create a diag.

Sending the file to Hurricane Labs

If you’re a Hurricane Labs Managed Splunk Services customer, you’ll share this file with us. The diag file can contain sensitive information about your configuration and should never be emailed or shared in an insecure way out of an abundance of caution. The best way to share the file with us is via the file transfer tool in our support portal

Alternatively, your Hurricane Labs support engineer can provide you with a link to attach files securely to a support ticket in the event the administrator we’re working with doesn’t have access to the support portal. 

Sending the file to Splunk Support

If you aren’t a Hurricane Labs Managed Splunk Services customer and you have an active support case with Splunk, you can upload a diag to Splunk via the diag tool. The appropriate flags are covered in Splunk docs.

Conclusion

You probably won’t need to create a diag often–but it’s almost inevitable that someone who works with a large number of Splunk systems will need to do this at some point in their Splunk journey. Hopefully, this guide will help when that time comes.

The post How to Generate a Diag in Splunk appeared first on Hurricane Labs.

*** This is a Security Bloggers Network syndicated blog from Hurricane Labs authored by Tom Kopchak. Read the original post at: https://hurricanelabs.com/splunk-tutorials/how-to-generate-a-diag-in-splunk/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-generate-a-diag-in-splunk