Solved: search head not working in a cluster

pil321 · ‎01-02-2014

I've set upt a cluster in a lab environment - replication factor of 2 using RHEL 6.4. All looks good from the master node (all data is searchable, search factor is met, replication factor is met). I'm also using a heavy forwarder. Forwarding to the 2 peers is done on separate ports (9997 and 9998). Receiving from the hosts is on port 9996. Deploymemnt monitor shows the forwarders are up (one heavy and one universal).

When I try to do a search (from the search head), I get a message stating "no results found".

Any ideas?

lguinn2 · ‎01-02-2014

The forwarders need to send on the same port as the indexers (peers) receive. Also, you don't need to use different ports on the different indexers. I suggest the following

On each indexer, set the receiving port to 9997.

On each forwarder, set the server in outputs.conf to

server=indexer1:9997,indexer2:9997

On the search head, under distributed search, add each indexer. For this, use the splunkd port (8089 by default).

View solution in original post

lguinn2 · ‎01-02-2014

The forwarders need to send on the same port as the indexers (peers) receive. Also, you don't need to use different ports on the different indexers. I suggest the following

On each indexer, set the receiving port to 9997.

On each forwarder, set the server in outputs.conf to

server=indexer1:9997,indexer2:9997

On the search head, under distributed search, add each indexer. For this, use the splunkd port (8089 by default).

somesoni2 · ‎01-02-2014

Just to ensure, the indexer is added as search peer in Search Head?

search head not working in a cluster

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...