Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Head not Getting latest events from Indexer

TLAZO
Explorer
‎01-15-2016 03:43 AM

Good morning,

We have an splunk architecture with 2 Search Heads and 2 Indexers.
This morning when our user tried to look for today's logs from the SearchHead, he could not retrieve any data. Concerned about that, I ran the same query on both SearchHeads and Indexers, same as the user I could not find any data from today on the SearchHead but I found that on the Indexer. Last event was from 2 days ago.
That case only happened with one index. I tried the same for another couple of indexes and could not see the same behavior.
This is concerning me because users create their alerts on the SearchHead (They don't have access to the Indexers UI) and if they cannot see realtime information neither will the alerts.
After a 40 minutes waiting we could retrieve todays' information. Please, we need this to be addressed as soon as possible. We need real time responses.

Tags (1)
0 Karma
Reply

jplumsdaine22
Influencer
‎01-19-2016 09:40 AM

As @somesoni2 mentioned, check the user timezone settings. If there are no timezone issues have a look at http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Troubleshootingeventsindexingdela...

0 Karma
Reply

renjith_nair
Legend
‎01-15-2016 04:09 AM

Your splunk infra is clustered or distributed? Are the two search heads connecting to both indexers? Ideally you shouldn't be seeing any difference in search between indexer UI and search head unless your search head is also indexing some data. Have you seen any errors in splunkd logs on search head or indexers?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

TLAZO
Explorer
‎04-21-2016 07:31 AM

Yes, both indexers are visible from both search heads.

0 Karma
Reply

somesoni2
Revered Legend
‎01-15-2016 07:50 AM

Check if the timezone is same on all SH and Indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...