Deployment Architecture

Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

princemanto2580
Path Finder

Hello Splunker,

I prepared one lab with below instance to see real-time Single Site Index Clustering. But after configure I can only see _audit and _internal indexes from Cluster Master. Where are the rest of default indexes like main and etc?

1 Search Head with Deployment Server and License Master
1 Cluster Master
2 Indexer for Cluster Peer

I reviewed this question from https://answers.splunk.com/answers/143987/cluster-master-does-not-display-custom-or-main-index-only-... .

Note that, all the configuration is been done from CLI command not from apps.

Can anyone suggest me what can be a reason.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi princemanto2580,
until you don't have acquired logs in an Index, you don't see it in Master Node dashboards.
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi princemanto2580,
until you don't have acquired logs in an Index, you don't see it in Master Node dashboards.
Bye.
Giuseppe

0 Karma

princemanto2580
Path Finder

Absolutely correct. Thanks for the details.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Also don't forget to set the setting per-index within the indexes.conf file of:
repFactor = auto

When you do introduce new indexes as per the documentation...

0 Karma

princemanto2580
Path Finder

I tried today for additional index creation from master-app but it is not reflecting at cluster peer indexes. Although, configuration pushed and i can able to see at slave-apps. Any idea, what I am missing ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

check the path you used.
Bye.
Giuseppe

0 Karma

princemanto2580
Path Finder

which path you are refereeing ?

[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 500
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 200
repFactor = auto

0 Karma

gcusello
SplunkTrust
SplunkTrust

correct me if I'm wrong:

  • you created the test index in Master Node,
  • you deployed Bundle;
  • you see test index folder in $SPLUNK_DB;
  • you ingested logs in test index;
  • you don't see test index in Master Node dashboard?

can you share a screenshot of Master Node Index Replication dashboard?

Bye.
Giuseppe

0 Karma

princemanto2580
Path Finder

Hi Giuseppe,

  • I created the test index in Master Node (correct)
  • I deployed Bundle; (correct)
  • I see test index folder in $SPLUNK_DB; (No, I can not see yet)
  • I ingested logs in test index; (not yet, let me see the index first then data ingestion will be carried out)
  • I don't see test index in Master Node dashboard. (As you clarified, no data in index mean you can not see the index at Master node dashboard)
0 Karma

gjanders
SplunkTrust
SplunkTrust

The index will not appear in the cluster master until it contains data as per Giuseppe previous post.

0 Karma

princemanto2580
Path Finder

As per details from Giuseppe, indexes will not seen from Cluster-Master until data ingested on that index. But my question is, will that index can been seen from Cluster-Peers.

If the answer is simply NO, then it is fine for me. But if the answer is YES, then it is a problem for me.

Hope you can understand my question.

0 Karma

gjanders
SplunkTrust
SplunkTrust

To confirm the index is configured on the peer you could run:
splunk btool indexes list --debug
(on the CLI of the peer)

Or look within the GUI of the individual indexer if that is turned on, does that help?

0 Karma

princemanto2580
Path Finder

Hi garethatiag,

I didn't run /opt/splunk/bin/splunk btool indexes list --debug on cluster peer. But from GUI, I didn't see the index "test" on each cluster peer.

Which means, the configuration is wrong !

0 Karma

gjanders
SplunkTrust
SplunkTrust

Interesting, I see 112 configured indexes on a peer and 88 of them are clustered/have data actively according to the master.
So it does sound like something may be incorrectly configured...

0 Karma

princemanto2580
Path Finder

Can you confirm, in your configuration indexes.conf is located under master-apps/_cluster/local/ ?

Or you have put your indexes.conf under another app within master-app/your_app/local/ ?

0 Karma

gjanders
SplunkTrust
SplunkTrust

Most of my index configuration is in the above location on the master.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...