How to create an alert to trigger if one of the indexers is not reachable in a distributed search environment?

New Member


I have 1 search head and 3 indexers where one of them is working as a license node.
I've had a situation where one of them lost connection (service was down).
How do I create an alert for the search head to inform if one of the indexers is not reachable?

0 Karma

Path Finder

Hi there,

DMC has a set of alerts, I believe this one might solve your issue?
" DMC Alert - Search Peer Not Responding".

or you build an alert based on below:

index=_internal host="search_head_host" "Connection to host=*:9997 failed" sourcetype=splunkd component=TcpOutputFd 

and pipe it to any other logic that you need (based on your environment) to create and generate an alert.

0 Karma