Yes running index=_internal on ES search head but not showing ES host name 

yes the hostname in server.conf file is correct.

yes even after expanding timerange hostname is not available.

Hi @mitali,

did you forwarded the Search Heads logs to the Indexers, as hinted by Splunk best practices?

Ciao.

Giuseppe

Can you Please tell me how to do that?

Hi @mitali,

from the Splunk menu on Each Splunk server (except Indexers): [Settings -- Forwarding and Receiving]:

[Forwarding Default -- Save ]

[Configure Forwarding -- New Forwarding host] add indexers

Ciao.

Giuseppe

indexers are already aaded

this is correct?

Hi @mitali,

Check if there's the port in the destination: "indexer_name:9997".

Then, remember to click "Save" in the "Default configuration", it will ask you a restart.

Then, On your indexers, do you receive also from Forwarders or only by syslog?

Ciao.

Giuseppe

everything is correct just that hostname is not showing up

Error [00000080] Instance name "BCCS-P25ES." REST interface to peer is taking longer than 5 seconds to respond on https. Peer may be over subscribed or misconfigured. Check var/log/splunk/splunkd_access.log on the peer Last Connect Time:2022-01-21T22:45:45.000+05:30; Failed 11 out of 11 times.

showing this error in monitoring console.

Hi @mitali,

try to use Ip address instead hostname in the "Add indexers" form:

10.10.10.10:9997
10.10.10.11:9997

and then (using telnet) check if the route between SH and IND is open:

telnet <ip_Indexer> 9997

Ciao.

Giuseppe

Problem sloved solution was to create outputs.conf on Search head 

Hi @mitali,

really strange: using the GUI as I hinted has the same result!

Anyway, if you solved, please accept the answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉