Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: index creation from HF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello members,
I have clustered environment and i create index on HF and data inputs for receive syslog, I create the same index inside indexers.conf in cluster master then pushed the configuration.
the index not appears in indexer cluster in CM and not searchable i tried to use btool inside each indexer and appears my indexer on loaded indexers .
so what the problem .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to see your index on CM, there is at least one log collect for this index.
Can you check logs coming to this index with "tcpdump -i any port 514" on HF server.
And you must check your firewall permission with "firewall-cmd --list-all"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@batabay when i did your command about firewall-cmd i got the port that has syslog not inside allowed port to forward
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
basically it's enough that you have created index on cluster master and then pushed it into search peers. In HF it's more nice to have. Of course if you have some modular inputs which you are configuring with GUI, those usually needs also indexes configure in HF too.
Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally?
Have you configured other indexes on HF which currently found from your indexer cluster and are those events go through this HF?
When you are configuring indexes on CM that didn' t means that those are seen on locally in CM. Those indexes are pushed only into peers!
Could it be that those new indexes are e.g. under master-apps and old ones are under manager-apps on your CM? You could use only one of those places not both? If I recall right manager-apps has higher priority over master-apps (the old place). So if you have any cluster peer configurations (also other than indexes.conf) then all configurations must move there or otherwise those are not working.
Again btool is your friends. You could go into any peer and try
splunk btool indexes list --debug <your index name> This shows if its deployed into peer and if where it is.
If I recall right there are some options how to run this also on CM and see what its deploy to peers, but I cannot found that option now.
But anyhow just look on your CM and ensure that you are using only master-apps or manager-apps and not both. Basically you should see this also on _internal logs.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you correctly configured your HF to just forwarding events to indexers instead of storing those locally?
i have configuered the index from GUI and the data inputs also how could i know if it's stored locally or not.
Have you configured other indexes on HF which currently found from your indexer cluster and are those events go through this HF?
yes, there are indexer names come from HF and also found in CM indexer cluster ( they coming from HF )
When you are configuring indexes on CM that didn' t means that those are seen on locally in CM. Those indexes are pushed only into peers!
when i configuered the index from HF i did the same inside indexes.conf in manager-apps directory.
Could it be that those new indexes are e.g. under master-apps and old ones are under manager-apps on your CM? You could use only one of those places not both?
all the indexers in CM inside manager-apps .
i did splunk btool indexes list --debug <your index name> and the index is showing with the same settinges inside CM after pushing the bundle.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you want to see your index on CM, there is at least one log collect for this index.
Can you check logs coming to this index with "tcpdump -i any port 514" on HF server.
And you must check your firewall permission with "firewall-cmd --list-all"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah i got events from tcpdump ..
no blocking from firewall
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
