Distributed search set up between A and B, node B ...

orjanb314 · ‎09-29-2010

In my company we have 2 servers running Splunk 4.1.5. Each one has the other configured to be a search peer in distributed search. So far only node A receives data for indexing and node B has only the default inputs. On node B most of the data from A is visible, but it's clear that much is missing. Most importantly no data with our Blucoat proxy as source shows up on node B.

I have also installed Splunk locally on my PC and configured it with both A and B as search peers. It has the same data as node B available. Anyone have any possible answers for this at the top of their heads?

Edit: I have made some screenshots to illustrate. I feel like I'm missing something very basic here, but I'm just a newbie. 😉

Splunk 1 Splunk 2

canadianman · ‎09-20-2011

If you still have a problem with this, just go into the splunk support page and they have all the infirmations there.

canadianman · ‎09-20-2011

If you need some help with this just go into the splunk support page, they have all the information there.

orjanb314 · ‎09-30-2010

As far as I can see it doesn't matter what searches I do, the data simply isn't available on B.

gkanapathy · ‎09-30-2010

It seems likely that the "missing" data on A is in a non-default index. Queries from your PC and from node B are implicitly querying the default indexes (as defined on the machine from which you run the search). Node A probably has modified its local default indexes to include the index containing your "missing" data.

You could test this by explicitly querying for index=* (assuming that on your PC/node B that you are in fact allowed to query for those indexes).

Genti · ‎09-29-2010

what are the searches that you are doing in both indexer A and indexer B to view the bluecoat data?

Distributed search set up between A and B, node B missing source

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life