- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue is primarily related to events ingested via the IMAP Mailbox App
We are running a distributed environment with a HF, 3x indexer and 3x search head (accessed via a VIP).
The install has been carried out as per the README.txt instructions for a distributed environment.
Some events are only appearing when searched for on the HF. They do not appear when searched for on the SH's.
The results are mixed in that some email events do not appear at all on the SH's and some events may or may not appear. That is a search on HF returns 11 events. The same search on SH returns 8 events.
As always, thanks very much for assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue was caused by the setting 'indexAndForward' in outputs.conf causing events to be dropped when the queues were too busy.
The 'indexAndForward' stanza was set to false and the events are now all available via the SH.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue was caused by the setting 'indexAndForward' in outputs.conf causing events to be dropped when the queues were too busy.
The 'indexAndForward' stanza was set to false and the events are now all available via the SH.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are your indexers and SHs on clusters or are those individuals?
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @isoutamo
Yes, $splunkhome/system/local/outputs.conf points to indexers.
indexers and SHs are clustered
