- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Indexes not visible on searchhead
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexes not visible on searchhead
Hi I have created a splunk cluster with the following configuration:
1 * Master (also the licensing master) - indexing turned off
3 * Inders peers
1 * Standalone search head - index turned off
I have created a basic configuration bundle - a folder for myapp1 under in master-apps on the master node:
$SPLUNK_HOME/etc/master-apps/
_cluster/
default/
local/
/ indexes.conf
I validated the bundle and on success applied to cluster. This created the index and app on the indexers. I have uploaded some data into the index. It is all green on the cluster dashboard but I cannot see the indexes on the searchhead. What should be done to view the indexes on the searchead. I am new to Splunk, have been asked to provision a splunk cluster... Please help.
Thanks,
Nelton
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by I cannot see? What exactly are you doing to see?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you add the cluster master to the search head to make the cluster searchable from search head?
http://docs.splunk.com/Documentation/Splunk/7.1.1/Indexer/Enablethesearchhead
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This i done... when i click Distributed Environment -> Indexer clustering on the search head. I see the node listed as Search Head. The Cluster Master is listed under the section Clusters searched.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are you able to search internal data from the indexers? This to make sure communication is good between the search head and indexers?
second step is to make sure the data actually exists on the indexers. You can login to indexer GUI and go to settings indexes and see the event count or current size of the index.
Third step would be to make sure you are searching the data in the correct time range. If your time stamps are off, the data might be in a different time range than you are expecting.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
