Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Datamodel replication issue in SHC

Nawab
Path Finder
4 weeks ago

I have a SHC of 3 search heads. I changed some fields in data model of 1 sh. it is replicated on 2nd SH, but 3rd SH does not have the same fields. Even though that SH was the captian.

 

I ran resync command but still the same issue.

 

 

Labels (1)
Labels
0 Karma
Reply

Nawab
Path Finder
4 weeks ago

I edited the datamodel using web UI, also I just edited a macro and it is reflected in the cluster

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

Ok. This might call for some more troubleshooting but what I'd check

1. Whether the contents of the etc/apps are the same on all nodes.

2. What is the status of the shcluster.

3. If it's always the same sh that is not in sync? And if it's "both ways" out of sync - changes on other shs are not replicated to this one and changes on this one are not replicated to other ones.

Check the connectivity within the cluster, check logs.

 

0 Karma
Reply

Nawab
Path Finder
4 weeks ago

I have just added a field in datamodel which i need to use in my searches. this field is duplicated in 2 SHs but in 1 SH that field is not available.

Cluster health is Okay, and if I change any thing on dashboards or corelation search it is reflected in all SHs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

OK. How did you edit the datamodel? Normally from the WebUI? Or did you fiddle with the jsons directly?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

Ok. Do you mean that you redefined the Datamodel itself or just changed the acceleratio  parameters? And are you talking about the dataset definitions or the summarized data in context of it being not in sync?

How did you modify those configurations?

Do you have the same settings defines within an app pushed from the deployer?

 

0 Karma
Reply

Nawab
Path Finder
4 weeks ago

I dont think this is related to my case. if change is replicated with in 2 SH, why changes are not replicated on 1 SH, all 3 SH are sending logs to indexers

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
4 weeks ago
Have you check that your SHC is healthy and there is no issues e.g. with kvstore or other replications? Easiest this can do with MC or if you haven’t set it up, then you can do those by queries from internal indexes, rest api and cli.
0 Karma
Reply

Nawab
Path Finder
4 weeks ago

yes, sh is sending logs to indexers

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @,

please see this:

https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Clustersandsummaryreplication

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @Nawab ,

did you configured your SHs to send logs to the Indexers?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...