Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search fail with Error : DistributedSearchResultCollectionManager - Not connecting to peer xxx because it has been optimized out. Groups

rbal_splunk
Splunk Employee
Splunk Employee
‎05-18-2015 01:39 PM

I have just deployed Splunk 6.2 with Search Head and 12 indexers. My searches are failing with error

05-18-2015 19:15:40.924 INFO DistributedSearchResultCollectionManager - Not connecting to peer 'indexe500010' because it has been optimized out. Groups

05-18-2015 19:15:40.924 INFO DistributedSearchResultCollectionManager - Not connecting to peer 'indexer500011' because it has been optimized out. Groups

05-18-2015 19:15:40.924 INFO DistributedSearchResultCollectionManager - Not connecting to peer ' indexer 500012' because it has been optimized out. Groups

Any ideas?

Tags (2)
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎05-18-2015 01:42 PM

The message turned out new App called DMC ( Refer http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/ConfiguretheMonitoringConsole) that is available with Splunk Version 6.2.

run btool command for distsearch on Search Head shows ( using $SPLUNK_HOME/bin/splunk cmd btool distsearchlist –debug). The
Output shows
.

.../etc/system/default/distsearch.conf [bundleEnforcerWhitelist]
..../etc/system/local/distsearch.conf   [distributedSearch]

.
.
..../etc/system/local/distsearch.conf servers = indexer500010:8089,indexer500011:8089,indexer500012:8089,indexer500013:8089,indexer500014:8089,indexer500015:8089
..../etc/system/default/distsearch.conf shareBundles = true
..../etc/system/default/distsearch.conf statusTimeout = 10
..../etc/system/default/distsearch.conf useSHPBundleReplication = true
..../etc/system/local/distsearch.conf [distributedSearch:dmc_group_cluster_master]
..../etc/system/local/distsearch.conf [distributedSearch:dmc_group_deployment_server]
..../etc/system/local/distsearch.conf [distributedSearch:dmc_group_indexer]
..../etc/system/local/distsearch.conf default = true
..../etc/system/local/distsearch.conf [distributedSearch:dmc_group_kv_store]

Notice that distsearch.conf has many groups and out of these groups [distributedSearch:dmc_group_indexer] is the default group, as a result you search is not working. In your case you need to make group [distributedSearch] as default.

So make the following change to the distsearch.conf 

[distributedSearch]
default = true
[distributedSearch:dmc_group_indexer]
default = false

Also refer- http://answers.splunk.com/answers/221468/search-returns-zero-results-searchlog-reports-dist.html

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...