Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the search head status is flickering in the indexer clustering?`

AbilashSe
Explorer
‎03-27-2018 10:17 PM

Search heads are up and healthy, but there is a fluctuation in the Search head status in the indexer clustering.

Can anyone please let me know what the problem is?

Regards,
Abi

0 Karma
Reply

rahul_bhatia
New Member
‎02-17-2020 06:55 AM

I have encountered the exact same issue with one of our SHC.

We have 2 SHCs connected to our indexers. For one of the SHCs, the SHC members keep flickering between 'Up' and 'Down' status on the 'Indexer Clustering' page.

For members of both SHCs, 'generation_poll_interval' defaults to 5. The flickering status only happens for one SHC, not the other.

Any further inputs on this behavior would be appreciated.

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-17-2020 07:03 AM

@rahul_bhatia This thread is nearly two years old with little activity. Consider posting a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎03-28-2018 05:17 PM

try increasing generation_poll_interval on the SHs in server.conf

[clustering]
generation_poll_interval = <positive integer>
    * Only valid if mode=master or mode=searchhead
    * Determines how often the searchhead polls the master for generation
      information.
    * Defaults to 60s.

some older docs state default is 60s but actual config is set to 5 sec.

[root@rplinux bin]#
./splunk btool server list --debug | grep generation_poll_interval

/opt/splunk/etc/system/default/server.conf generation_poll_interval = 5

you can increase generation_poll_interval to 60 sec and see if it stabilizes the SH status from cluster master UI.

0 Karma
Reply

AbilashSe
Explorer
‎03-28-2018 10:07 PM

Hi rphillips [Splunk],

Thanks for your answer..!!

I've tried with the above option , but its ended up with an error when i restarted the splunkd after the config change in the server.conf in the SH.
I've set the mode as searchhead and poll_interval value was 5.

Invalid key in stanza [clustering] in /pkg/splunk/etc/system/default/server.conf, line 397: only valid for mode (value: master or mode=searchhead).

Would you please check and let me know if there are changes needs to be done.

Thank you,
Abi

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎03-29-2018 08:58 AM

Hi Abi,
- what version are you on?
- can you send the output after running this command on your SH
$SPLUNK_HOME/bin
./splunk btool server list --debug clustering

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...