Deployment Architecture

replication error messages

Path Finder

Hi, During ad hoc searches we are getting messages "unable to distribute to peer named splunk_index01 at url https://10.1.6.1:8089 because replication was unsuccessful replicationStatus in progress". And when this message displayed, the search results were incorrect. We were getting less events in search resutls than expected. Is there a way to avoid this error? The size of the replication was approximately but less than 300MB. And we had excluded the lookup tables in replication using the configuration below:

[replicationBlacklist] donotreplicate = .../*.csv

Thanks.

Tags (1)

Splunk Employee
Splunk Employee

If all the machines are on a LAN, the best way to make replication faster is to disable splunkd SSL. I'd suggest checking what are the large files being replicated on the indexer in $SPLUNK_HOME/var/run/searchpeers/<indexer>/<newest subdir>.

Splunk Employee
Splunk Employee

The replicationWhitelists act as a union, so you'd have to remove the other ones.

0 Karma

Communicator

thank Stephen, You remind me of Splunk 4.1.4 doesn't support Blacklist.
before we upgrade to 4.1.5 can we use "replicationWhitelist = .../*.conf" to avoid replicate *.csv files ?

0 Karma

Splunk Employee
Splunk Employee

The blacklist setting was added in 4.1.5. SSL must be disabled on the indexers. If on set on the search head, it will fall back to SSL in order to communicate with the indexers which are configured to speak only SSL.

0 Karma

Communicator

BTW, I had already set
[replicationBlacklist] donotreplicate = .../*.csv
but all *.csv files are still been replicated
we use Splunk 4.1.4.

0 Karma

Communicator

Hi, we had already disabled SSL , but replication failed message still appeared as usual.

in server.conf (search head)
[sslConfig]
enableSplunkSSL = false

we had restarted splunk service after modified server.conf

0 Karma