Search Head not Getting latest events from Indexer

TLAZO · ‎01-15-2016

Good morning,

We have an splunk architecture with 2 Search Heads and 2 Indexers.
This morning when our user tried to look for today's logs from the SearchHead, he could not retrieve any data. Concerned about that, I ran the same query on both SearchHeads and Indexers, same as the user I could not find any data from today on the SearchHead but I found that on the Indexer. Last event was from 2 days ago.
That case only happened with one index. I tried the same for another couple of indexes and could not see the same behavior.
This is concerning me because users create their alerts on the SearchHead (They don't have access to the Indexers UI) and if they cannot see realtime information neither will the alerts.
After a 40 minutes waiting we could retrieve todays' information. Please, we need this to be addressed as soon as possible. We need real time responses.

jplumsdaine22 · ‎01-19-2016

As @somesoni2 mentioned, check the user timezone settings. If there are no timezone issues have a look at http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Troubleshootingeventsindexingdela...

renjith_nair · ‎01-15-2016

Your splunk infra is clustered or distributed? Are the two search heads connecting to both indexers? Ideally you shouldn't be seeing any difference in search between indexer UI and search head unless your search head is also indexing some data. Have you seen any errors in splunkd logs on search head or indexers?

---
What goes around comes around. If it helps, hit it with Karma 🙂

TLAZO · ‎04-21-2016

Yes, both indexers are visible from both search heads.

somesoni2 · ‎01-15-2016

Check if the timezone is same on all SH and Indexers.

Search Head not Getting latest events from Indexer

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake