Solved: Search Heads not looking for Events on Both Indexe...

TLAZO · ‎04-21-2016

I have two indexers: splnkindex001 (si1) and splnkindex002 (si2). Both indexers have index replication configured for index A.
Even with this index A replication configured, it takes a couple of hours to do so. That would not be a problem if Search Heads (splnksearch001 and splnksearch002) were not looking for events on both indexers in one single search. Sometimes I will get information from the "un-updated" indexer and have to include the "splunk_server=splnkindex001" or "splunk_server=splnkindex002" on my search to double check.
Is this a normal behavior on distributed search? I thought that the search head would look for events by default on all search peers.

rurbina10 · ‎04-21-2016

On the search head(s):

Settings->Distributed Management Console
Setup->Apply Changes->Refresh

That will resolve the issue.

Now you will see both indexers under searchProviders (job's property)

searchProviders
[
"SPLNKINDEX001",
"SPLNKINDEX002"
]

View solution in original post

rurbina10 · ‎04-21-2016

On the search head(s):

Settings->Distributed Management Console
Setup->Apply Changes->Refresh

That will resolve the issue.

Now you will see both indexers under searchProviders (job's property)

searchProviders
[
"SPLNKINDEX001",
"SPLNKINDEX002"
]

TLAZO · ‎04-21-2016

Thanks Renzo. That worked

Search Heads not looking for Events on Both Indexers

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms