1 Reply Latest reply on Dec 31, 2018 1:41 PM by patrick.byrne.0

    Splunk Data source issues with missing and disappearing fields

    Barbara Knowles



      I'm having problems connecting to Splunk.  I have 25+ reports built that I'm trying to connect to from Tableau.  There are 8 that I can connect to with no problem.  In 11 cases, when I connect to them, all I see are the _time and span fields that are available because I used the timechart command in the Splunk search.  2 of the reports only show me one field other than the timechart fields.  And 2 additional reports behave inconsistently.  Sometimes they show me all the fields and then an hour later, they'll only show me the timechart fields.


      I'm pulling my hair out because this issue is so frustrating.  I've asked our tableau rep for help (We're in the process of evaluating the software).  I've asked our Splunk admin team for help.  I don't have access to the back-end of the software, but I can tell you that all the permissions are the same on these reports.  I've submitted a question to the Splunk forums.  I've searched the web.  The documentation regarding Tableau connections to Splunk is extremely limited.


      I don't think attaching a packaged workbook would help since the live connection is the issue.  I do have screenprints, if you'd like to see them.


      Please note that while my current employer is in the process of evaluating the software and does intend to purchase it, I have 6 years of experience with Tableau.  I've worked with the server, REST API, the drivers, viz alerts, etc.  And, yes, I have downloaded the correct splunk odbc driver.


      I'd appreciate any insights anyone might have.