All Apps and Add-ons

Splunk App for Infrastructure entity inactive after 3 minutes of collecting data

hgu
Explorer

Currently, I have a search head running Splunk Enterprise 7.2 on Windows Server machine and an indexer running Splunk Enterprise 7.2 on another Windows Server machine. I have installed Splunk App for Infrastructure (1.2.0) on the search head and have installed Splunk Add-on for Infrastructure (1.2.0) + Splunk Universal Forwarder (7.1.1) on the indexer.

I set up Splunk App for Infrastructure and added the indexer as an entity. I was able to observe about 3 minutes of the indexer's status/performance before data stopped being collected. Now in the Entities view, the indexer is marked as "Inactive". Also, in the Analysis tab for the indexer, I'm getting a lot of errors saying "Unknown search command 'mcatalog'."

I have no idea why the indexer is inactive. Splunkd and the SplunkUniversalForwarder services are running on the indexer. Any ideas on what might be wrong would be really appreciated!

0 Karma
1 Solution

hgu
Explorer

I made a dumb mistake. The powershell script that I'm supposed to run when I add an entity was pointed to the search head instead of the indexer. I must've had it correct at one point for 3 minutes before rerunning the incorrect one, causing the 3 minutes of misleading success.

View solution in original post

0 Karma

hgu
Explorer

I made a dumb mistake. The powershell script that I'm supposed to run when I add an entity was pointed to the search head instead of the indexer. I must've had it correct at one point for 3 minutes before rerunning the incorrect one, causing the 3 minutes of misleading success.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!