Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Distributed search set up between A and B, node B missing source

orjanb314
Engager
‎09-29-2010 12:23 PM

In my company we have 2 servers running Splunk 4.1.5. Each one has the other configured to be a search peer in distributed search. So far only node A receives data for indexing and node B has only the default inputs. On node B most of the data from A is visible, but it's clear that much is missing. Most importantly no data with our Blucoat proxy as source shows up on node B.

I have also installed Splunk locally on my PC and configured it with both A and B as search peers. It has the same data as node B available. Anyone have any possible answers for this at the top of their heads?

Edit: I have made some screenshots to illustrate. I feel like I'm missing something very basic here, but I'm just a newbie. 😉

Splunk 1 Splunk 2

Tags (1)
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you still have a problem with this, just go into the splunk support page and they have all the infirmations there.

0 Karma
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you need some help with this just go into the splunk support page, they have all the information there.

0 Karma
Reply

orjanb314
Engager
‎09-30-2010 06:19 AM

As far as I can see it doesn't matter what searches I do, the data simply isn't available on B.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 04:14 AM

It seems likely that the "missing" data on A is in a non-default index. Queries from your PC and from node B are implicitly querying the default indexes (as defined on the machine from which you run the search). Node A probably has modified its local default indexes to include the index containing your "missing" data.

You could test this by explicitly querying for index=* (assuming that on your PC/node B that you are in fact allowed to query for those indexes).

Reply

Genti
Splunk Employee
Splunk Employee
‎09-29-2010 09:16 PM

what are the searches that you are doing in both indexer A and indexer B to view the bluecoat data?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...