Splunk Enterprise

write script to deploy diag file

harishsplunk7
Explorer

Can anyone give me idea or script python to generate a diag file in splunk using python script
login to splunk support portal and enter the case number Upload the file automatically 

0 Karma

livehybrid
Super Champion

Hi @harishsplunk7 

Just for anyone catching up, to confirm you specifically want to script the diag pushing, whilst this is available with --upload on the diag command it isnt possible to do this non-interactively because of the password request. 

Ive been doing some more digging on this on my local instance, the CLI uses python's getpass to request your password for the support portal/splunk.com interactively and to my knowledge its not possible to pipe/inject into this using anything like stdin, however I did find the python calls which actually do the upload.

Here is an example Python script which I believe may work for you, Ive not had chance to test it entirely yet, only in sections:

import sys, os, glob
sys.path.append("/opt/splunk/lib/python3.9/site-packages")
from splunk.clilib import info_gather

# Locate latest diag file in SPLUNK_HOME
SPLUNK_HOME = os.environ.get("SPLUNK_HOME", "/opt/splunk")
diag_files = sorted(glob.glob(os.path.join(SPLUNK_HOME, "diag-*.tar.gz")))
if not diag_files:
    raise FileNotFoundError("No diag file found")
diag_file = diag_files[-1]

class CustomOptions:
    def __init__(self, upload_user, upload_password, case_number, upload_description):
        self.upload_user = upload_user
        self.upload_password = upload_password
        self.case_id = case_number
        self.upload_description = upload_description
        self.upload_uri="https://api.splunk.com"


options = CustomOptions(
    upload_user="your_username",
    upload_password="your_password",
    case_number="1234567",
    upload_description="Automated diag upload",
)

result = info_gather.upload_to_splunkcom(diag_file, options)
print("Upload result:", result)

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

isoutamo
SplunkTrust
SplunkTrust

I think that just couple of lines sh script is enough as diag already have option to send and attach it to your case in splunk. You found more from https://docs.splunk.com/Documentation/Splunk/9.4.2/Troubleshooting/Generateadiag

0 Karma

livehybrid
Super Champion

Edit: deleted previous reply.

Nevermind, Im sure it originally said UF 🙄

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That’s true, but at least for me it’s really rare to create diag on UF and then send it splunk. But if you need to do it regularly then it’s different story. But in those case I probably do e.g. with ansible play where I login into UF generate diag then copy that into full splunk instance and in last task I will send it to splunk with diag.
Those was steps what I manually did on last time I need to send diag from UF to splunk.

harishsplunk7
Explorer

thank you, can you please let me know the python script to upload the diag file to splunk support 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Just command 

splunk diag --upload...

and some needed parameters 

Upload:
    Flags to control uploading files  Ex: splunk diag --upload
[...]
    --case-number=case-number
                        Case number to attach to, e.g. 200500
    --upload-user=UPLOAD_USER
                        splunk.com username to use for uploading
    --upload-description=UPLOAD_DESCRIPTION
                        description of file upload for Splunk support
    --firstchunk=chunk-number
                        For resuming upload of a multi-part upload; select the
                        first chunk to send
    --chunksize=chunk-size
                        Optional set the chunksize in bytes to be uploaded

These are described on above link.

When you are doing upload it’s not needed to do on node where you have created that diag file. Just move it into any splunk enterprise node which have https access to splunk support over internet.

If needed you can create script with any language you want to use, but as I already said, I probably use ansible for scripting. But it’s your decision based on your environment, needs and tools which you have.

0 Karma

livehybrid
Super Champion

Hi @harishsplunk7 

I wanted to check, are you using Windows or Linux UFs? UFs do not have Python installed as part of the Splunk deployment, therefore Python might not be best approach for this?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

harishsplunk7
Explorer

we are have multiple splunk cluster and will need to generate a diag file everytime for search head or indexer.. 

so need to automat the process of generating the diage and upload in splunk support case automatically. 

i have script to generate a file and enter the case but spplunk support is will need api or some connection to login and search the case and upload the diag. 

 

0 Karma

livehybrid
Super Champion

Hi @harishsplunk7 

What is your existing script doing? Perhaps we can help enhance this. Is there a specific reason you need it to be Python?

Does your existing script get around the problem that the diag command with --upload flag requires you to interactively enter your password? Im not sure how we can get around this issue?

Ultimately this activity could probably be repeated directly using the API that the diag upload CLI uses, however I am not sure if this information is publicly available.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...