Getting Data In

Cannot find bundles for search peer

p_vitale
Explorer

Hi,

I'm deployed a single-site cluster with Master Node, Search Head and two Indexer.
The architecture works fine, but into the "splunkd.log" file of the both Indexer there is the following error:

ERROR SearchPeerBundlesSetup - Cannot find bundles for search peer: MASTENODE

where the MASTENODE is the hostname of the master node machine.

Which kind of problem could be it?
How I can eliminate it?

Into the Master Node UI "Indexer Clustering: Master Node"
1.the number of peers is correct,
2.the number of indexes is correct (and also the states)
3.but the number of Search Head is wrong, that is there are two instances of search head,
one is correct (the search head configured)
and the other one is the master node (why?)

The version of Splunk is 6.2.0

Thanks.

0 Karma
1 Solution

p_vitale
Explorer

The problem was the configuration about Distribuited Search into the master node, it was disabled.
So if it is enabled, the indexers are happy about it and they don't give any error about "find bundles for search peer: MASTENODE".

View solution in original post

0 Karma

p_vitale
Explorer

The problem was the configuration about Distribuited Search into the master node, it was disabled.
So if it is enabled, the indexers are happy about it and they don't give any error about "find bundles for search peer: MASTENODE".

0 Karma

mhouse333
Loves-to-Learn Lots

@p_vitale wrote:

The problem was the configuration about Distribuited Search into the master node, it was disabled.
So if it is enabled, the indexers are happy about it and they don't give any error about "find bundles for search peer: MASTENODE".


Would you please provide specifics on what you changed in the distsearch.com?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Try removing your clustering configuration from the Search Heads, and then re-add them to the cluster. Additionally, check permissions on the search heads and that you have enough disk space.

0 Karma

p_vitale
Explorer

I removed the single Search Head of the cluster from the architecture, and I re-added it into the cluster, but the error is still into the indexer's log.
The search head has enough disk space.
Which kind of permissions I have to check on the search head, in order to resolv this problem?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...