- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- When adding a search peer I get error "In handler ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two Linux VMs running on my Windows 7 box. I'm trying to configure one as a search peer and one as the search head. Inside their Linux environments, each box can ping the other on a VM internal network.
On the search head, I am trying to add a new search peer.
For the "Peer" field, I've typed in the search peer's IP address, with ":8089" appended.
For "Authentication" I've tried both an admin account on the search peer, as well as the Splunk admin account credentials for the search peer.
No matter what I try, I get the error in the question above. Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you have connectivity between hosts, but you might want to check that you can initiate a TCP connection between the two. No route to host implies that your search head doesn't know how to reach your search peer on the network. On the search head are you able to connect to the remote port of the indexer?
telnet <indexer ip> 8089
or
nc -v <indexer ip> 8089
If the connection fails, you have a problem with connectivity between the VMs and you might need to disable firewalling or make some adjustments to the network config for your VMs/Host.
If the connection works, then your problem is higher up the stack. Does each VM have a local hostname? When you add the peer by IP, it may be responding back with its hostname, and the search head may try and connect to that (or vice-versa). Try creating entries in the /etc/hosts file on each server so that the VMs are resolvable by name.
Also, it doesn't sound like the right error, but make sure you reset the default admin password on each splunk instance. Otherwise remote connectivity to the API port (8089) using admin is disabled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you have connectivity between hosts, but you might want to check that you can initiate a TCP connection between the two. No route to host implies that your search head doesn't know how to reach your search peer on the network. On the search head are you able to connect to the remote port of the indexer?
telnet <indexer ip> 8089
or
nc -v <indexer ip> 8089
If the connection fails, you have a problem with connectivity between the VMs and you might need to disable firewalling or make some adjustments to the network config for your VMs/Host.
If the connection works, then your problem is higher up the stack. Does each VM have a local hostname? When you add the peer by IP, it may be responding back with its hostname, and the search head may try and connect to that (or vice-versa). Try creating entries in the /etc/hosts file on each server so that the VMs are resolvable by name.
Also, it doesn't sound like the right error, but make sure you reset the default admin password on each splunk instance. Otherwise remote connectivity to the API port (8089) using admin is disabled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried telnet and it failed. This made me realize that I hadn't opened port 8089. I did that, and I can now add the search peer. Thank you for the assistance.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
