Deployment Architecture
Highlighted

Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

Hello Splunker,

I prepared one lab with below instance to see real-time Single Site Index Clustering. But after configure I can only see _audit and _internal indexes from Cluster Master. Where are the rest of default indexes like main and etc?

1 Search Head with Deployment Server and License Master
1 Cluster Master
2 Indexer for Cluster Peer

I reviewed this question from https://answers.splunk.com/answers/143987/cluster-master-does-not-display-custom-or-main-index-only-... .

Note that, all the configuration is been done from CLI command not from apps.

Can anyone suggest me what can be a reason.

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

Legend

Hi princemanto2580,
until you don't have acquired logs in an Index, you don't see it in Master Node dashboards.
Bye.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

Absolutely correct. Thanks for the details.

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

SplunkTrust
SplunkTrust

Also don't forget to set the setting per-index within the indexes.conf file of:
repFactor = auto

When you do introduce new indexes as per the documentation...

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

I tried today for additional index creation from master-app but it is not reflecting at cluster peer indexes. Although, configuration pushed and i can able to see at slave-apps. Any idea, what I am missing ?

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

Legend

check the path you used.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

which path you are refereeing ?

[test]
coldPath = $SPLUNK_DB/test/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/test/db
maxTotalDataSizeMB = 500
coldToFrozenDir = /opt/frozen/test
thawedPath = $SPLUNK_DB/test/thaweddb
maxDataSize = 200
repFactor = auto

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

Legend

correct me if I'm wrong:

  • you created the test index in Master Node,
  • you deployed Bundle;
  • you see test index folder in $SPLUNK_DB;
  • you ingested logs in test index;
  • you don't see test index in Master Node dashboard?

can you share a screenshot of Master Node Index Replication dashboard?

Bye.
Giuseppe

0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

Hi Giuseppe,

  • I created the test index in Master Node (correct)
  • I deployed Bundle; (correct)
  • I see test index folder in $SPLUNK_DB; (No, I can not see yet)
  • I ingested logs in test index; (not yet, let me see the index first then data ingestion will be carried out)
  • I don't see test index in Master Node dashboard. (As you clarified, no data in index mean you can not see the index at Master node dashboard)
0 Karma
Highlighted

Re: Why does my single site Indexer Cluster only shows _audit and _internal buckets from Cluster Master?

SplunkTrust
SplunkTrust

The index will not appear in the cluster master until it contains data as per Giuseppe previous post.

0 Karma