Splunk Enterprise

I can not connect to the search peer

kawashita_t
Explorer

The following error message is output.

Error Message : Problem replicating config (bundle) to search peer 'IP:Port', can't establish http connection.

I thought that the bundle size is affecting and I created the following distsearch.conf file in / etc / sytem / local.
However, it did not solve it. Also, until the other day I was able to connect without problems.

[replicationSettings]
sendRcvTimeout = 120

[replicationWhitelist]
allConf = *.conf

[replicationBlacklist]
vr = apps/app1/...
risona = apps/app2/...

[distributedSearch]
servers = https://xx.xx.xx.xx:xxxx

The only change is that the search peer's license was exceeded.
Below is the contents of the splunkd.log

04-18-2017 10:27:38.787 +0900 INFO  NetUtils - Connect timeout - waited for 60 seconds. ip=xx.xx.xx.xx port=xxxx
04-18-2017 10:27:38.787 +0900 WARN  HTTPClient - Connect to=xx.xx.xx.xx:xxxx timed out; exceeded 60sec, as per=distsearch.conf/[replicationSettings]/connectionTimeout
04-18-2017 10:27:38.787 +0900 WARN  DistributedBundleReplicationManager - Bundle upload error: Connect to=https://xx.xx.xx.xx:xxxx timed out; exceeded 60sec, as per=distsearch.conf/[replicationSettings]/connectionTimeout
04-18-2017 10:27:38.787 +0900 ERROR DistributedBundleReplicationManager - Unable to upload bundle to peer named splunk01 with uri=https://xx.xx.xx.xx:xxxx.
04-18-2017 10:27:38.787 +0900 WARN  DistributedBundleReplicationManager - Asynchronous bundle replication to 1 peer(s) succeeded; however it took too long (longer than 10 seconds): elapsed_ms=63086, tar_elapsed_ms=2136, bundle_file_size=126300KB, replication_id=1492478795, replication_reason="async replication allowed"
04-18-2017 10:27:38.787 +0900 WARN  DispatchReaper - Spent 35559ms reaping bundle tarballs in $SPLUNK_HOME/var/run
04-18-2017 10:27:38.789 +0900 INFO  PipelineComponent - MetricsManager:probeandreport() took longer than seems reasonable (61310 milliseconds) in callbackRunnerThread. Might indicate hardware or splunk limitations.
04-18-2017 10:28:01.174 +0900 WARN  DistributedPeerManager - Unable to distribute to peer named splunk01 at uri https://xx.xx.xx.xx:xxxx because replication was unsuccessful. replicationStatus Failed failure info: failed_because_HTTP_CONNECTION_FAILURE
0 Karma
1 Solution

suarezry
Builder

Delete the search peer from your distributed search config (in splunk web), then add the search peer back in. Does the replication succeed after this?

View solution in original post

0 Karma

suarezry
Builder

Delete the search peer from your distributed search config (in splunk web), then add the search peer back in. Does the replication succeed after this?

0 Karma

kawashita_t
Explorer

Thank you for answer.
It was not a problem of Splunk, it was a network problem.

I want to investigate the network.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...