Deployment Architecture

How does DMC determine the status of its search peers?

Motivator

I am seeing a few "Splunk Alert: DMC Alert - Search Peer Not Responding" each day for one of my indexers, but it is always a false alarm. The indexer in question resides at the same site and is in the same subnet as the DMC....there seems to be no network issue.

How does this part of the alert | rest splunk_server=local /services/search/distributed/peers/ work to determine status?

Splunk Employee
Splunk Employee

Hm, did you already find this detail in the REST API Reference Manual? It lists the possible values of status.

http://docs.splunk.com/Documentation/Splunk/6.4.2/RESTREF/RESTdeploy#search.2Fdistributed.2Fpeers

0 Karma

Motivator

That's not what I'm looking for, but thanks. I want to know how DMC determines the status of a peer. If I understand how it makes that determination then I can (theoretically) troubleshoot whether or not our false positives are truly false.

0 Karma

Communicator

That DMC alert is making the rest call and alerting if the status is anything other than up. So if the server isn't accessible via the management port or the status is one of the other values in the end point reference it will fire.
Down
Blacklisted
Not a Splunk server
Free Splunk server
Authentication Failed
Duplicate License
Duplicate Servername
Inconsistent bundles

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!