https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211151#M61739 <P>I recently added a new splunk server in a distributed environment. Now, when I do this search:</P> <PRE><CODE>index=os earliest="09/01/2015:09:30:00" latest="09/01/2015:09:35:00" | timechart count by splunk_server </CODE></PRE> <P>the new splunk server does not show up in the results. However, if I do this search,</P> <PRE><CODE>index=os splunk_server=* earliest="09/01/2015:09:30:00" latest="09/01/2015:09:35:00" | timechart count by splunk_server </CODE></PRE> <P>then, it shows up.</P> <P>Can anyone tell me why? I have the search load-balanced so I have about the same number of events going into each indexer.<BR /> Thank you in advance.</P> Tue, 01 Sep 2015 16:53:24 GMT louieb3 2015-09-01T16:53:24Z https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211151#M61739 <P>I recently added a new splunk server in a distributed environment. Now, when I do this search:</P> <PRE><CODE>index=os earliest="09/01/2015:09:30:00" latest="09/01/2015:09:35:00" | timechart count by splunk_server </CODE></PRE> <P>the new splunk server does not show up in the results. However, if I do this search,</P> <PRE><CODE>index=os splunk_server=* earliest="09/01/2015:09:30:00" latest="09/01/2015:09:35:00" | timechart count by splunk_server </CODE></PRE> <P>then, it shows up.</P> <P>Can anyone tell me why? I have the search load-balanced so I have about the same number of events going into each indexer.<BR /> Thank you in advance.</P> Tue, 01 Sep 2015 16:53:24 GMT https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211151#M61739 louieb3 2015-09-01T16:53:24Z https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211152#M61740 <P>What is inside <CODE>distsearch.conf</CODE>? How did you add the Indexer? Are you using <CODE>Search Head Pooling</CODE>?</P> <P>See this question, too:</P> <P><A href="http://answers.splunk.com/answers/221468/search-returns-zero-results-searchlog-reports-dist.html">http://answers.splunk.com/answers/221468/search-returns-zero-results-searchlog-reports-dist.html</A></P> Tue, 01 Sep 2015 18:21:34 GMT https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211152#M61740 woodcock 2015-09-01T18:21:34Z https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211153#M61741 <P>That was it. I looked at <CODE>distsearch.conf</CODE> and saw that all of my indexers except for the new one was in the <CODE>[distributedSearch:dmc_group_indexer]</CODE> stanza.</P> <P>I went into the <CODE>Distributed Management Console</CODE>, under <CODE>Remote instances</CODE>, edited the <CODE>Server Role</CODE> for the new indexer (it was already configured as an indexer), saved it, and then applied the changes and voila, issue resolved. Thanks, woodcock!</P> <P>To answer your question, in distsearch.conf, I had the stanzas <CODE>[distributedSearch]</CODE> which contained all of the indexers and <CODE>[distributedSearch:dmc_group_indexer]</CODE> which also contained a list of my indexers except for the recently added one.</P> Tue, 01 Sep 2015 19:09:50 GMT https://community.splunk.com/t5/Splunk-Search/After-adding-a-new-Splunk-server-in-a-distributed-environment/m-p/211153#M61741 louieb3 2015-09-01T19:09:50Z