Deployment Architecture

Search head and Indexer has different indexes list

moonyoungjung
New Member

I have a question about indexes.
In my environment,

search head cluster is 5ea,
indexer peer node 20ea,
indexer cluster master 1ea and
heavy forwarder etc

When I check indexes list in indexer peer node,
every indexer has the same 30 indexes in the list,
but every search peer has different indexes list.
Some "search head " has indexes 10 list of it
the other has 15 list in setting -> indexes

This is a problem when I added data from search head
I want to add data from B indexes but there is no list in indexes

how can I sync list from indexer?

Tags (1)
0 Karma

moonyoungjung
New Member

SH1
sh1

sh2
sh2

0 Karma

inventsekar
SplunkTrust
SplunkTrust
When I check indexes list in indexer peer node, 
every indexer has the same 30 indexes in the list 

Only search head got the splunk GUI. the splunk indexer got no splunk GUI.
only indexer will have indexes. the search head handles only the search requests(and few more functionalities)
From Search head, it internally connects to indexer and gets the list of indexer.

i assume yours is a distributed but not clustered environment.
so, it may be possible that, one search head(SH1) connects an indexer(IDX1), whereas another search head(SH2) may connect to another indexer(IDX2). The indexes configured on IDX1 may be different from IDX2.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

moonyoungjung
New Member

I will explain more detail.
sh1 settings->data->indexes list(23 index)
sh1 settings->data->indexes list(20 index)
is different.
And entire indexes is 40.
Every index cluster members have 40 indexes list of it.

sh1 is 17 index not sync with entire index list
sh2 is 20 index not sync with entire index list too.

This situation is a problem when I added data from sh1 and sh2.
For example, I want to add data to idx_a but there is no idx_a in sh1 when select index information step.

0 Karma

moonyoungjung
New Member

Thank you for your answer.

I was checked entire 20 ea indexer's directory //splunk_home/var/lib/splunk/
Every directory has same folder structure. and same index folder name
and I was checked setting of SH1, SH2, ...SH5 Distributed search » Search peers in the list.
The list is the same.

What conf file should I fix or check?

0 Karma

inventsekar
SplunkTrust
SplunkTrust
Some "search head " has indexes 10 list of it
the other has 15 list in setting -> indexes

-----this part is bit confusing.. could you please write your question once again. thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

moonyoungjung
New Member

I will Explained more detail.
Sh1 Settings -> data -> indexes list (23 index)
Sh2 Settings -> data -> indexes list (20 index)
Is different.
And entire indexes is 40 every index cluster members has 40 indexes.

Sh1 has 17 index it's not sync with indexer cluster
and Sh2 has 20 it's not sync with indexer cluster too.

This situation is problem when I was add data from sh1 and sh2
for example I want add data to idx_a but there is no idx_a in sh1 when select index infomation step.

0 Karma

moonyoungjung
New Member

Thank you for your answer.

I was check Distributed search » Search peers list
SH1 and SH2 have the same list in it.

what conf file should i fix?

This is shclustering stanza my server.conf in SH1, SH2, SH3

SH1 etc/system/local/server.conf
[shclustering]
conf_deploy_fetch_url = http://x.x.x.36:8089
disabled = 0
mgmt_uri = http://x.x.x.31:8089
pass4SymmKey = ****************=
replication_factor = 2
id = A154BD4B-2199-44E0-856F-4781DA470875
shcluster_label = shcluster
election = 1
mode = member

SH2 etc/system/local/server.conf
[shclustering]
conf_deploy_fetch_url = http://x.x.x.36:8089
disabled = 0
mgmt_uri = http://x.x.x.32:8089
pass4SymmKey = *******************=
replication_factor = 2
id = A154BD4B-2199-44E0-856F-4781DA470875
shcluster_label = shcluster
election = 1
mode = member

SH3 etc/system/local/server.conf
[shclustering]
conf_deploy_fetch_url = http://x.x.x.36:8089
disabled = 0
mgmt_uri = http://x.x.x.33:8089
pass4SymmKey = ***********************=
replication_factor = 2
id = A154BD4B-2199-44E0-856F-4781DA470875
shcluster_label = shcluster
election = 1
mode = member

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...