Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Distributed search set up between A and B, node B missing source

orjanb314
Engager
‎09-29-2010 12:23 PM

In my company we have 2 servers running Splunk 4.1.5. Each one has the other configured to be a search peer in distributed search. So far only node A receives data for indexing and node B has only the default inputs. On node B most of the data from A is visible, but it's clear that much is missing. Most importantly no data with our Blucoat proxy as source shows up on node B.

I have also installed Splunk locally on my PC and configured it with both A and B as search peers. It has the same data as node B available. Anyone have any possible answers for this at the top of their heads?

Edit: I have made some screenshots to illustrate. I feel like I'm missing something very basic here, but I'm just a newbie. 😉

Splunk 1 Splunk 2

Tags (1)
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you still have a problem with this, just go into the splunk support page and they have all the infirmations there.

0 Karma
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you need some help with this just go into the splunk support page, they have all the information there.

0 Karma
Reply

orjanb314
Engager
‎09-30-2010 06:19 AM

As far as I can see it doesn't matter what searches I do, the data simply isn't available on B.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 04:14 AM

It seems likely that the "missing" data on A is in a non-default index. Queries from your PC and from node B are implicitly querying the default indexes (as defined on the machine from which you run the search). Node A probably has modified its local default indexes to include the index containing your "missing" data.

You could test this by explicitly querying for index=* (assuming that on your PC/node B that you are in fact allowed to query for those indexes).

Reply

Genti
Splunk Employee
Splunk Employee
‎09-29-2010 09:16 PM

what are the searches that you are doing in both indexer A and indexer B to view the bluecoat data?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...