Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the replication status on distributed search failing with this error "Gave up waiting for the captain to establish a common bundle version across all search peers"?

splunker9999
Path Finder
‎12-16-2016 09:15 AM

Hi, We are seeing replication status on search head captain and one of the search head has failed.

Also we are seeing below error when we tried to search any data.

Gave up waiting for the captain to establish a common bundle version across all search peers; using most recent bundles on all peers instead

We tried restarting search head cluster, rolling restart and resync, but still facing this issue.

Can you please advice how we can handle this issue?

Thanks.

0 Karma
Reply

sombhtr239
Explorer
‎08-07-2023 10:26 PM

Hello,

None of the above statement hold true for me. Our VM's are hosted in GCP, and we have 3 SH member in the SHC and 3 IDX. The issue is observed only in 1 peer, while the other works fine. Tried the setting mentioned above. Also, removed and reconfigured the problematic SH. The issue persists. If anyone has resolved the issue, please suggest steps to resolve this issue.

0 Karma
Reply

bmacias84
Champion
‎12-16-2016 10:58 AM

I've seen this in two cases.

  1. Your search heads don't have enough resources. in server.conf consider setting captain_is_adhoc_searchhead = True
  2. The other case would be in your bundles are over 800MB which is the default max http content size which most likely are very large lookup table(s). The DMC should be able to tell you how large your bundles are. Delete the large items or consider increasing max_content_length which located in server.conf.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...