All Apps and Add-ons

S.o.S: Topology view continues to list a disabled peer as active search-peer for a given SH

drrushi_splunk
Splunk Employee
Splunk Employee

Why does the Topology view in S.o.S 3.0.1 continue to list a disabled peer as active under the SH detailed information on the right-hand side ?

1 Solution

hexx
Splunk Employee
Splunk Employee

At this time, the scheduled search maintaining the "sos_servers_cache" asset lookup that the Topology view consumes will add any newly-found search peers but will not remove those that no longer respond.

This is a limitation of the current implementation that we plan to improve on in a future release of S.o.S, where we will probably still show the non-responding peers but mark them as such ("missing" or "unresponsive").

In order to get rid of decommissioned search peers, you need to edit the $SPLUNK_HOME/etc/apps/sos/lookups/sos_servers_cache.csv lookup table and manually remove their entries. We also hope to offer a UI-driven method to do this in a future release.

View solution in original post

hexx
Splunk Employee
Splunk Employee

At this time, the scheduled search maintaining the "sos_servers_cache" asset lookup that the Topology view consumes will add any newly-found search peers but will not remove those that no longer respond.

This is a limitation of the current implementation that we plan to improve on in a future release of S.o.S, where we will probably still show the non-responding peers but mark them as such ("missing" or "unresponsive").

In order to get rid of decommissioned search peers, you need to edit the $SPLUNK_HOME/etc/apps/sos/lookups/sos_servers_cache.csv lookup table and manually remove their entries. We also hope to offer a UI-driven method to do this in a future release.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...