Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Head not Getting latest events from Indexer

TLAZO
Explorer
‎01-15-2016 03:43 AM

Good morning,

We have an splunk architecture with 2 Search Heads and 2 Indexers.
This morning when our user tried to look for today's logs from the SearchHead, he could not retrieve any data. Concerned about that, I ran the same query on both SearchHeads and Indexers, same as the user I could not find any data from today on the SearchHead but I found that on the Indexer. Last event was from 2 days ago.
That case only happened with one index. I tried the same for another couple of indexes and could not see the same behavior.
This is concerning me because users create their alerts on the SearchHead (They don't have access to the Indexers UI) and if they cannot see realtime information neither will the alerts.
After a 40 minutes waiting we could retrieve todays' information. Please, we need this to be addressed as soon as possible. We need real time responses.

Tags (1)
0 Karma
Reply

jplumsdaine22
Influencer
‎01-19-2016 09:40 AM

As @somesoni2 mentioned, check the user timezone settings. If there are no timezone issues have a look at http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Troubleshootingeventsindexingdela...

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎01-15-2016 04:09 AM

Your splunk infra is clustered or distributed? Are the two search heads connecting to both indexers? Ideally you shouldn't be seeing any difference in search between indexer UI and search head unless your search head is also indexing some data. Have you seen any errors in splunkd logs on search head or indexers?

Happy Splunking!
0 Karma
Reply

TLAZO
Explorer
‎04-21-2016 07:31 AM

Yes, both indexers are visible from both search heads.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎01-15-2016 07:50 AM

Check if the timezone is same on all SH and Indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...