Deployment Architecture

Why am I getting a warning from my search head cluster captian stating "unable to distribute to peer"?

w199284
Explorer

I'm attempting to convert from a search head (sh) pool to a search head cluster. All instances (cluster master, index peers, heavy forwarders and the original sh pool) are at v6.5.3 on linux. I've followed the steps in the migrate from pool to cluster documentation, carefully I think, a couple of times now. I've missed "something" but I don't know how to find what that is.

I turned on DEBUG for DistributedBundleReplicationManager but didn't find any extra useful information. Same thing for SearchPeerBundlesSetup on one of the peers. To me, it looks like the bundle replication process is working from the sh cluster to the search peer(s) but whatever response is expected from the peer is not happening. Just a wag though. Any thoughts you have on the subject are much appreciated.

o Sending done. uploaded_bytes=82954240, elapsed_ms=5594. Waiting for peer.uri=https://xx.xx.xx.xx:8089 to respond
o got non-200 response from peer. uri=https://xx.xx.xx.xx:8089, reply="HTTP/1.1 204 No Content" response_code=204
o Unable to upload bundle to peer named xxxxx

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Did this member successfully join the SHC? If so, you can try to remote it from the cluster, clean, and rejoin it to the cluster.

0 Karma

w199284
Explorer

Thank you for your response. Unless I am missing something, yes all four members of the shc are participating. At least based on the results of shcluster-status.

Actually, I did execute the "clean" command, without options, earlier, on ALL shc members. Very scary command, I think. I had to reinitialize the cluster members afterward to get the members back. (use with caution is right). Since I have not added the shcluster members to the load balancer yet there was no impact.

I still get the bundle failure unfortunately. There are some things that don't add up too like I don't see the Monitoring Console or the shclustering dashboards that should be there. I believe I'll take down the instances and step through the install and configure one more time. Thanks again.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...