Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Datamodel replication issue in SHC

Nawab
Path Finder
3 weeks ago

I have a SHC of 3 search heads. I changed some fields in data model of 1 sh. it is replicated on 2nd SH, but 3rd SH does not have the same fields. Even though that SH was the captian.

 

I ran resync command but still the same issue.

 

 

Labels (1)
Labels
0 Karma
Reply

Nawab
Path Finder
3 weeks ago

I edited the datamodel using web UI, also I just edited a macro and it is reflected in the cluster

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Ok. This might call for some more troubleshooting but what I'd check

1. Whether the contents of the etc/apps are the same on all nodes.

2. What is the status of the shcluster.

3. If it's always the same sh that is not in sync? And if it's "both ways" out of sync - changes on other shs are not replicated to this one and changes on this one are not replicated to other ones.

Check the connectivity within the cluster, check logs.

 

0 Karma
Reply

Nawab
Path Finder
3 weeks ago

I have just added a field in datamodel which i need to use in my searches. this field is duplicated in 2 SHs but in 1 SH that field is not available.

Cluster health is Okay, and if I change any thing on dashboards or corelation search it is reflected in all SHs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

OK. How did you edit the datamodel? Normally from the WebUI? Or did you fiddle with the jsons directly?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Ok. Do you mean that you redefined the Datamodel itself or just changed the acceleratio  parameters? And are you talking about the dataset definitions or the summarized data in context of it being not in sync?

How did you modify those configurations?

Do you have the same settings defines within an app pushed from the deployer?

 

0 Karma
Reply

Nawab
Path Finder
3 weeks ago

I dont think this is related to my case. if change is replicated with in 2 SH, why changes are not replicated on 1 SH, all 3 SH are sending logs to indexers

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
Have you check that your SHC is healthy and there is no issues e.g. with kvstore or other replications? Easiest this can do with MC or if you haven’t set it up, then you can do those by queries from internal indexes, rest api and cli.
0 Karma
Reply

Nawab
Path Finder
3 weeks ago

yes, sh is sending logs to indexers

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @,

please see this:

https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Clustersandsummaryreplication

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
3 weeks ago

Hi @Nawab ,

did you configured your SHs to send logs to the Indexers?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...