https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261342#M21671 <P>Hi,</P> <P>the splunkd.log on your indexers should be indexed automatically. You can find them by searching index=_internal. There you will find all internal splunk logdata.</P> <P>For getting the internal logs of your searchhead to the indexer tier look at this. This works similar for your master node.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata">http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata</A></P> <P>kind regards</P> Thu, 20 Oct 2016 19:09:22 GMT TStrauch 2016-10-20T19:09:22Z https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261341#M21670 <P>I have a working environment using index discovery.</P> <P>While doing command 'tail -f' on idx01 (Indexer - master box), I notice the following logs.</P> <H2>idx01 (tail -f /opt/splunk/var/log/splunk/splunkd.log)</H2> <P>10-19-2016 20:59:27.187 +0000 WARN DistributedPeerManager - Unable to distribute to peer named idx03 at uri <A href="https://10.200.2.35:8089" target="_blank">https://10.200.2.35:8089</A> because replication was unsuccessful. replicationStatus Failed failure info: failed_because_HTTP_REPLY_READ_FAILURE<BR /> 10-19-2016 20:59:27.187 +0000 WARN DistributedPeerManager - Unable to distribute to peer named idx04 at uri <A href="https://10.200.2.38:8089" target="_blank">https://10.200.2.38:8089</A> because replication was unsuccessful. replicationStatus Failed failure info: failed_because_HTTP_CONNECTION_FAILURE<BR /> 10-19-2016 20:59:38.186 +0000 INFO TcpOutputProc - Connected to idx=10.200.2.36:9997<BR /> 10-19-2016 20:59:46.316 +0000 WARN DistributedBundleReplicationManager - Asynchronous bundle replication to 3 peer(s) succeeded; however it took too long (longer than 10 seconds): elapsed_ms=19129, tar_elapsed_ms=3726, bundle_file_size=75900KB, replication_id=1476910767, replication_reason="async replication allowed"</P> <P>I did search using this string 'Failed failure info' on splunk, but found nothing.</P> <P>I am not sure if logs on indexers are parsed and indexed.<BR /> What is the best practice to monitor/analyze logs on indexers/search head boxes?</P> <P>Thank you.</P> Tue, 29 Sep 2020 11:28:24 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261341#M21670 makincerdas 2020-09-29T11:28:24Z https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261342#M21671 <P>Hi,</P> <P>the splunkd.log on your indexers should be indexed automatically. You can find them by searching index=_internal. There you will find all internal splunk logdata.</P> <P>For getting the internal logs of your searchhead to the indexer tier look at this. This works similar for your master node.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata">http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata</A></P> <P>kind regards</P> Thu, 20 Oct 2016 19:09:22 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261342#M21671 TStrauch 2016-10-20T19:09:22Z https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261343#M21672 <P>I did not use 'index=_internal' on earlier attempt.<BR /> It works by entering the following search, using 'index=_internal'</P> <P>index="_internal" Failed failure info source="/opt/splunk/var/log/splunk/splunkd.log"</P> <P>Thank you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/160192">@TStrauch</a> </P> Tue, 29 Sep 2020 11:31:44 GMT https://community.splunk.com/t5/Deployment-Architecture/How-do-we-analyze-indexers-search-head-log/m-p/261343#M21672 makincerdas 2020-09-29T11:31:44Z