Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to fetch logs from Index in Search Head

RAVISHANKAR
Loves-to-Learn Lots
‎10-25-2024 03:00 AM

Hello,

I have configured an index inside an indexer and when i try to fetch data from that index in search head not getting any data.

when i search that same index in indexer i could get the data from the index but not from search head.

Could you please assist what configuration needs to be checked on my search head and indexer ?

Note - it's not clustered setup.

 

Thanks

 

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2024 03:14 AM

Hi @RAVISHANKAR ,

did you configured Distributed Search in Settings, configuring the Indexers for searching?

Ciao.

Giuseppe

0 Karma
Reply

RAVISHANKAR
Loves-to-Learn Lots
‎10-25-2024 04:08 AM

@gcusello  -

 

could you please explain a bit more in detail..

 

configured Distributed Search in Settings, configuring the Indexers for searching? - in indexer or in search head ??

Thanks

0 Karma
Reply

jawahir007
Communicator
‎10-25-2024 03:07 AM

I hope you did the following configuration to connect search head with indexer. If not, then do it as mentioned below, else verify the configuration.

Configure the Indexer as a Search Peer

  • Log in to the Splunk web interface on your search head.
  • Go to Settings > Distributed Search > Search Peers.
  • Click Add New to add a new search peer (indexer).
  • Enter the management port (usually 8089) and the hostname or IP address of the indexer.
  • If required, enter the username and password of the indexer to establish the connection.
  • Click Save to add the indexer as a search peer.

 

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma
Reply

RAVISHANKAR
Loves-to-Learn Lots
‎10-25-2024 04:13 AM

@gcusello - yes this is done and it showing as status up and replication was successfull.

Thanks

0 Karma
Reply

RAVISHANKAR
Loves-to-Learn Lots
‎10-25-2024 05:02 AM

@gcusello - do we need to check anything else further ??

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2024 05:24 AM

Hi @RAVISHANKAR ,

can you access other indexes or not?

Ciao.

Giuseppe

0 Karma
Reply

RAVISHANKAR
Loves-to-Learn Lots
‎10-25-2024 05:40 AM

@gcusello 

 

I have one indexer and inside that i have created one index and i couldn't fetch data of that index from search head but i can fetch it from the indexer.

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...