Getting Data In

Indexer Cluster & Search Head Indexes.conf

Path Finder

Hey,

I'm setting up an Indexer Cluster and a Search Head for the first time and I'm facing an issue on the Search Head.
I can search the indexes content with the Search Head, but on the Settings>Indexes page I do not have information regarding the Indexes.
I'm not exactly sure how to link the Search Head to the indexes.conf of the peers. If I upload the same indexes.conf to the Search Head they do show up, but as if they were on the Search Head, which then retrieves no useful information.

How can I troubleshoot this?

Thanks in advance!

0 Karma

Path Finder

I don't have an answer, just a question. My indexes are also not showing up on the search head cluster, I have an app (XXX-indexes-app) that has the indexes.conf in it, do I need to push it to both the indexers (via the CM) and the search heads (via DC)? I want to make sure the events are being stored on the indexers, but also that the search heads (clustered) have the indexes showing.

0 Karma

Influencer

@woodcock Can you please help with this question. Even I have the question that do indexes.conf on indexers and SH need to be in sync, although all the data is being indexed on indexers. What if I do not update indexes.conf on SH cluster, what impact will it have in terms of indexing or searching?

0 Karma

Esteemed Legend

Create a new question, let's not hijack this one.

0 Karma

Builder

Hey

If you are able to see the indexes content on the Search Head, this means that your indexers are integrated now with the search head. Copying the Indexes.conf from indexers has nothing to do with the integration of search peers with Search Head.

But if you want to troubleshoot and see all of your indexers are now showing up on search head. You can check the log file Splunkd.log which should be able to tell you if your indexers are able to make a successful connection with the search head.
Additionally, run the below query on your search head
| tstats count by index, host

And check if you are able to see all the indexes that you have created on the indexers.

Hope this helps!

0 Karma

Builder

Also, you can check the statuses of your Indexers from the search head by using the following Rest call. Just run this query on Search head -

| rest /services/server/introspection/indexer splunk | fields splunk_server, title, status

This will provide you that which splunk instances are connected as indexing machines with your search head and their respective status as well.

0 Karma

Esteemed Legend

Just put the same indexes.conf file that you put on your Indexers in the same place on your Search Head. This also has the added benefit that as you are typing index= in a search bar, the Search Head will be able to do auto-completion for you! This has NOTHING to do with being able to run searches against the Indexers as Search Peers; this is done with distsearch.conf plus pushing your Search Head's trusted.pem file to each Indexer. This process is automated by adding peers with Settings -> Distributed search -> Search peers -> New.