How to Generate a Diag in Splunk

By |Published On: March 18th, 2021|

When working with your Splunk environment or troubleshooting an issue, we (or Splunk Support if you aren’t a Hurricane Labs Managed Splunk Services customer) may need to collect some additional information from the system to assist with troubleshooting. This is called a Splunk diagnostic file, or diag for short. 

This tutorial will walk you through the process of creating this file and sending it to us or Splunk Support for review.

Creating the Diag

Creating a diag is easy–you simply run the Splunk executable with the diag option. Splunk also has a number of options that can be used with this tool to exclude or include different components or files in the diag. These are covered in-depth in the Splunk documentation.

When requesting a diag, we will often exclude the etc/auth directory from the diag so that this information is not included in the package that is created. The command to do that will look like this: 

splunk.exe diag --exclude */etc/auth/*

Below I’ve included a screencast demonstration of the process to create a diag.

Sending the file to Hurricane Labs

If you’re a Hurricane Labs Managed Splunk Services customer, you’ll share this file with us. The diag file can contain sensitive information about your configuration and should never be emailed or shared in an insecure way out of an abundance of caution. The best way to share the file with us is via the file transfer tool in our support portal

Alternatively, your Hurricane Labs support engineer can provide you with a link to attach files securely to a support ticket in the event the administrator we’re working with doesn’t have access to the support portal. 

Sending the file to Splunk Support

If you aren’t a Hurricane Labs Managed Splunk Services customer and you have an active support case with Splunk, you can upload a diag to Splunk via the diag tool. The appropriate flags are covered in Splunk docs.


You probably won’t need to create a diag often–but it’s almost inevitable that someone who works with a large number of Splunk systems will need to do this at some point in their Splunk journey. Hopefully, this guide will help when that time comes.

Share with your network!
Get monthly updates from Hurricane Labs
* indicates required

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit and follow us on Twitter @hurricanelabs.