I am seeing a few "Splunk Alert: DMC Alert - Search Peer Not Responding" each day for one of my indexers, but it is always a false alarm. The indexer in question resides at the same site and is in the same subnet as the DMC....there seems to be no network issue.
How does this part of the alert
| rest splunk_server=local /services/search/distributed/peers/ work to determine status?
Hm, did you already find this detail in the REST API Reference Manual? It lists the possible values of status.
That's not what I'm looking for, but thanks. I want to know how DMC determines the status of a peer. If I understand how it makes that determination then I can (theoretically) troubleshoot whether or not our false positives are truly false.
That DMC alert is making the rest call and alerting if the status is anything other than up. So if the server isn't accessible via the management port or the status is one of the other values in the end point reference it will fire.
Not a Splunk server
Free Splunk server