Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to see Internal logs which are sent from Search Head to Indexer?

varad_joshi
Communicator
‎09-06-2017 03:22 AM

I followed the steps mentioned on below link to send internal logs from SH to indexer.

http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Forwardsearchheaddata

Now I am looking for a way to check and validate that I am receiving internal logs from SH to my indexer. How do I do that?

0 Karma
Reply

Javip
Path Finder
‎09-06-2017 04:11 AM

Have a look to this url and review your config according to that:

http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata

Hope this helps you

0 Karma
Reply

varad_joshi
Communicator
‎09-07-2017 12:18 AM

I used that URL to start forwarding internal logs. Now I want to validate the logs are coming to indexer.

0 Karma
Reply

Javip
Path Finder
‎09-07-2017 03:28 AM

Ahh, ok, I thought you were wrong with Splunk version or so ...

The logs are not coming to your indexer, but are they still accesible in your SH? Have you read them if they show you some kind of problem/error?
Have you checked communication in port 9997 between SH and indexers?

Regards.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2017 03:41 AM

Hi varad_joshi,
did you tried

index=_internal host=SH_hostename

?
Bye.
Giuseppe

0 Karma
Reply

varad_joshi
Communicator
‎09-06-2017 03:59 AM

Yup. I dont see SH mentioned in the host field. I should have mentioned that in my question.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-06-2017 03:50 AM

Jinx!

@cusello - E una cosa Americana di dirlo quando diciamo la stessa cosa allo stesso tempo. 🙂 🙂 Auguri!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2017 04:12 AM

OK thanks!
Bye.
Giuseppe

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-06-2017 03:41 AM

This should do it:

index=_internal host=searchheadhostname

If there are events returned, it should be working.

0 Karma
Reply

varad_joshi
Communicator
‎09-06-2017 04:00 AM

I dont see SH mentioned in the host field. I should have mentioned that in my question. So events are not being moved to indexer. Right?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-06-2017 04:07 AM

Sounds like that is correct.

Be sure you are forwarding your events to the indexers. You can do it in the GUI, too. If you don't set it up to forward, then they will stay on the SH. It's like you would do on an HF.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-07-2017 05:17 AM

I think I finally understand what you need.

If you look at the field splunk_server on the data from the search that cusello and I answered with, that will tell you which host the data was indexed on. If the field has your indexer, then it is working. If it is the search head, then it is not.

Hopefully I understood your dilemma correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...