topic Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"? in Splunk Search

When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

petreb — Tue, 01 Mar 2016 06:38:17 GMT

Hallo,

I have a setup with 2 indexers and a dedicated search head; the indexes.conf file is defined only on the indexers (they are configured as deployment clients with the search head as the deployment server in order to simplify the administration of the settings).

Searching via REST API always returns error message "supplied index 'p_uno' missing". According to this:
https://answers.splunk.com/answers/334974/rest-api-receiverssimple-supplied-index-missing.html
the solution would be to define the indexes also on the search head, i.e. the indexes.conf from the deployment class directory should be copied in etc/system/local.

The question is, how can I stop the search head from saving locally the indexed data, when the indexes.conf file gives also the physical paths pro index?

Thanks

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

jplumsdaine22 — Tue, 01 Mar 2016 10:38:10 GMT

Have you set up the indexers as search peers to the search head? It sounds like your search head is only search itself, but it does not have any data.

Have you followed all the steps here: http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/Configuredistributedsearch

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

petreb — Tue, 01 Mar 2016 11:18:08 GMT

yes, the indexers are configured as distributed search peers and they are working; the forwarders are configured to send data only to the indexers and the searchhead reads the data (correctly) from both

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

jplumsdaine22 — Tue, 01 Mar 2016 11:30:27 GMT

So searching from web UI works but searching from the API fails?

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

petreb — Tue, 01 Mar 2016 12:23:12 GMT

exactly, und according to one question I found here (the link is in my OP) the indexes should be defined also on the indexer (which isn't, in my case)

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

jplumsdaine22 — Wed, 02 Mar 2016 10:15:01 GMT

What REST endpoint are you accessing? Can you post your full request? The Splunk answer you lined to is talking about a data input, not a search.

Also can you clarify - in your last comment you said that the index p_uno is NOT defined on your indexers. But in your question you said it is ONLY defined on your indexers.

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

petreb — Thu, 03 Mar 2016 15:23:02 GMT

sorry, my fault, I have thought search head and wrote indexers

the indexes are defined ONLY on the indexers and not on the searchhead

curl -k -u user:pass "https://searchhead:8089/services/receivers/simple?source=www&sourcetype=web_event&index=p_uno" -d  "2016/02/26 03:00:01,some_random_string,0,2367,84032"

answer

<msg type="WARN">supplied index 'p_uno' missing</msg>

answer for index main works

<result>
  <field k="_index">
    <value>
      <text>main</text>
    </value>
  </field>
  <field k="bytes">
    <value>
      <text>60</text>
    </value>
  </field>
  <field k="host">
    <value>
      <text>10.134.222.99</text>
    </value>
  </field>
  <field k="source">
    <value>
      <text>www</text>
    </value>
  </field>
  <field k="sourcetype">
    <value>
      <text>web_event</text>
    </value>
  </field>
</result>

basically he doesn't find the p_uno on the searchhead, because the searchhead doesn't have the indexes defined

what happens if I copy the indexes.conf on the searchhead ? will it also save/store data locally ?

thanks for your patience

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

jplumsdaine22 — Thu, 03 Mar 2016 18:46:00 GMT

I see - why not use the rest endpoint on the indexer? Then you don't need to create the index on the search head

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

petreb — Fri, 04 Mar 2016 06:11:48 GMT

I suppose you mean

curl -ku user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search 2016/02/26 03:00:01,some_search_string" -d output_mode=csv

this "spreads" the search across the indexers and gives all available results (see below)

many many thanks

"_serial","_time",source,sourcetype,host,index,"splunk_server","_raw"
0,"2016-02-26 03:00:01.000 CET",www,"web_event","10.104.176.7","p_uno","splunk01-indexer","2016/02/26 03:00:01,some_search_string"
0,"2016-02-26 03:00:01.000 CET",www,"web_event","10.104.176.7","p_uno","splunk02-indexer","2016/02/26 03:00:01,some_search_string"
1,"2016-02-26 03:00:01.000 CET",www,"web_event","10.104.176.7","p_uno","splunk02-indexer","2016/02/26 03:00:01,some_search_string"

Re: When searching via REST API in a distributed search environment, why am I getting error "supplied index 'p_uno' missing"?

petreb — Fri, 18 Mar 2016 15:36:59 GMT

 curl -ku user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search 2016/02/26 03:00:01,some_search_string" -d output_mode=csv