- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, I have a search head running Splunk Enterprise 7.2 on Windows Server machine and an indexer running Splunk Enterprise 7.2 on another Windows Server machine. I have installed Splunk App for Infrastructure (1.2.0) on the search head and have installed Splunk Add-on for Infrastructure (1.2.0) + Splunk Universal Forwarder (7.1.1) on the indexer.
I set up Splunk App for Infrastructure and added the indexer as an entity. I was able to observe about 3 minutes of the indexer's status/performance before data stopped being collected. Now in the Entities view, the indexer is marked as "Inactive". Also, in the Analysis tab for the indexer, I'm getting a lot of errors saying "Unknown search command 'mcatalog'."
I have no idea why the indexer is inactive. Splunkd and the SplunkUniversalForwarder services are running on the indexer. Any ideas on what might be wrong would be really appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made a dumb mistake. The powershell script that I'm supposed to run when I add an entity was pointed to the search head instead of the indexer. I must've had it correct at one point for 3 minutes before rerunning the incorrect one, causing the 3 minutes of misleading success.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made a dumb mistake. The powershell script that I'm supposed to run when I add an entity was pointed to the search head instead of the indexer. I must've had it correct at one point for 3 minutes before rerunning the incorrect one, causing the 3 minutes of misleading success.
