Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distributed search set up between A and B, node B missing source

orjanb314
Engager
‎09-29-2010 12:23 PM

In my company we have 2 servers running Splunk 4.1.5. Each one has the other configured to be a search peer in distributed search. So far only node A receives data for indexing and node B has only the default inputs. On node B most of the data from A is visible, but it's clear that much is missing. Most importantly no data with our Blucoat proxy as source shows up on node B.

I have also installed Splunk locally on my PC and configured it with both A and B as search peers. It has the same data as node B available. Anyone have any possible answers for this at the top of their heads?

Edit: I have made some screenshots to illustrate. I feel like I'm missing something very basic here, but I'm just a newbie. 😉

Splunk 1 Splunk 2

Tags (1)
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you still have a problem with this, just go into the splunk support page and they have all the infirmations there.

0 Karma
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you need some help with this just go into the splunk support page, they have all the information there.

0 Karma
Reply

orjanb314
Engager
‎09-30-2010 06:19 AM

As far as I can see it doesn't matter what searches I do, the data simply isn't available on B.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 04:14 AM

It seems likely that the "missing" data on A is in a non-default index. Queries from your PC and from node B are implicitly querying the default indexes (as defined on the machine from which you run the search). Node A probably has modified its local default indexes to include the index containing your "missing" data.

You could test this by explicitly querying for index=* (assuming that on your PC/node B that you are in fact allowed to query for those indexes).

Reply

Genti
Splunk Employee
Splunk Employee
‎09-29-2010 09:16 PM

what are the searches that you are doing in both indexer A and indexer B to view the bluecoat data?

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...