topic Re: How to see Internal logs which are sent from Search Head to Indexer? in Deployment Architecture

How to see Internal logs which are sent from Search Head to Indexer?

varad_joshi — Wed, 06 Sep 2017 10:22:06 GMT

I followed the steps mentioned on below link to send internal logs from SH to indexer.

http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Forwardsearchheaddata

Now I am looking for a way to check and validate that I am receiving internal logs from SH to my indexer. How do I do that?

Re: How to see Internal logs which are sent from Search Head to Indexer?

cpetterborg — Wed, 06 Sep 2017 10:41:46 GMT

This should do it:

index=_internal host=searchheadhostname

If there are events returned, it should be working.

Re: How to see Internal logs which are sent from Search Head to Indexer?

gcusello — Wed, 06 Sep 2017 10:41:58 GMT

Hi varad_joshi,
did you tried

index=_internal host=SH_hostename

?
Bye.
Giuseppe

Re: How to see Internal logs which are sent from Search Head to Indexer?

cpetterborg — Wed, 06 Sep 2017 10:50:54 GMT

Jinx!

@cusello - E una cosa Americana di dirlo quando diciamo la stessa cosa allo stesso tempo. 🙂 🙂 Auguri!

Re: How to see Internal logs which are sent from Search Head to Indexer?

varad_joshi — Wed, 06 Sep 2017 10:59:42 GMT

Yup. I dont see SH mentioned in the host field. I should have mentioned that in my question.

Re: How to see Internal logs which are sent from Search Head to Indexer?

varad_joshi — Wed, 06 Sep 2017 11:00:47 GMT

I dont see SH mentioned in the host field. I should have mentioned that in my question. So events are not being moved to indexer. Right?

Re: How to see Internal logs which are sent from Search Head to Indexer?

cpetterborg — Wed, 06 Sep 2017 11:07:45 GMT

Sounds like that is correct.

Be sure you are forwarding your events to the indexers. You can do it in the GUI, too. If you don't set it up to forward, then they will stay on the SH. It's like you would do on an HF.

Re: How to see Internal logs which are sent from Search Head to Indexer?

Javip — Wed, 06 Sep 2017 11:11:16 GMT

Have a look to this url and review your config according to that:

http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata

Hope this helps you

Re: How to see Internal logs which are sent from Search Head to Indexer?

gcusello — Wed, 06 Sep 2017 11:12:17 GMT

OK thanks!
Bye.
Giuseppe

Re: How to see Internal logs which are sent from Search Head to Indexer?

varad_joshi — Thu, 07 Sep 2017 07:18:35 GMT

I used that URL to start forwarding internal logs. Now I want to validate the logs are coming to indexer.

Re: How to see Internal logs which are sent from Search Head to Indexer?

Javip — Thu, 07 Sep 2017 10:28:51 GMT

Ahh, ok, I thought you were wrong with Splunk version or so ...

The logs are not coming to your indexer, but are they still accesible in your SH? Have you read them if they show you some kind of problem/error?
Have you checked communication in port 9997 between SH and indexers?

Regards.

Re: How to see Internal logs which are sent from Search Head to Indexer?

cpetterborg — Thu, 07 Sep 2017 12:17:02 GMT

I think I finally understand what you need.

If you look at the field splunk_server on the data from the search that cusello and I answered with, that will tell you which host the data was indexed on. If the field has your indexer, then it is working. If it is the search head, then it is not.

Hopefully I understood your dilemma correctly.