Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Datamodel replication issue in SHC

Nawab
Communicator
‎12-16-2024 02:34 AM

I have a SHC of 3 search heads. I changed some fields in data model of 1 sh. it is replicated on 2nd SH, but 3rd SH does not have the same fields. Even though that SH was the captian.

 

I ran resync command but still the same issue.

 

 

Labels (1)
Labels
0 Karma
Reply

Nawab
Communicator
‎12-16-2024 11:51 PM

I edited the datamodel using web UI, also I just edited a macro and it is reflected in the cluster

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-17-2024 08:26 AM

Ok. This might call for some more troubleshooting but what I'd check

1. Whether the contents of the etc/apps are the same on all nodes.

2. What is the status of the shcluster.

3. If it's always the same sh that is not in sync? And if it's "both ways" out of sync - changes on other shs are not replicated to this one and changes on this one are not replicated to other ones.

Check the connectivity within the cluster, check logs.

 

0 Karma
Reply

Nawab
Communicator
‎12-16-2024 11:32 PM

I have just added a field in datamodel which i need to use in my searches. this field is duplicated in 2 SHs but in 1 SH that field is not available.

Cluster health is Okay, and if I change any thing on dashboards or corelation search it is reflected in all SHs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-16-2024 11:50 PM

OK. How did you edit the datamodel? Normally from the WebUI? Or did you fiddle with the jsons directly?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-16-2024 03:21 PM

Ok. Do you mean that you redefined the Datamodel itself or just changed the acceleratio  parameters? And are you talking about the dataset definitions or the summarized data in context of it being not in sync?

How did you modify those configurations?

Do you have the same settings defines within an app pushed from the deployer?

 

0 Karma
Reply

Nawab
Communicator
‎12-16-2024 03:25 AM

I dont think this is related to my case. if change is replicated with in 2 SH, why changes are not replicated on 1 SH, all 3 SH are sending logs to indexers

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-16-2024 01:43 PM
Have you check that your SHC is healthy and there is no issues e.g. with kvstore or other replications? Easiest this can do with MC or if you haven’t set it up, then you can do those by queries from internal indexes, rest api and cli.
0 Karma
Reply

Nawab
Communicator
‎12-16-2024 02:42 AM

yes, sh is sending logs to indexers

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2024 02:52 AM

Hi @,

please see this:

https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Clustersandsummaryreplication

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2024 02:41 AM

Hi @Nawab ,

did you configured your SHs to send logs to the Indexers?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top