Getting Data In

New application of the search head cannot make search data

chustar
Path Finder

I've created two splunk applications that work fine and can access the data on my indexers.

However, when I create a third application named "new_application" (from scratch or cloning an existing app) it cannot access any of the data.

While I can successfully load pregenerated data (using loadjob) it fails when I try to make a direct search.

I looked in the search log for all the indexers that were used and found this error:

dispatchRunner - RunDispatch::runDispatchThread threw error: Application does not exist: new_application

Is there an additional deployment or new config setting that needs to be changed when creating new applications?

edit:
This was due to the app not being replicated. I found the issue to be related to be related to the syncing the replication bundle:

DistributedBundleReplicationManager - Synchronous bundle replication to 4 peer(s) succeeded; however it took too long (longer than 10 seconds): elapsed_ms=10859, tar_elapsed_ms=551, bundle_file_size=47750KB, replication_id=1499346376, replication_reason="sync replication required to establish common bundles across all search peers"  

I've also tried changing the timeout in the distsearch to but it doesn't seem to reflect correctly.

0 Karma
1 Solution

chustar
Path Finder

The issue was that all of the applications on the search head were being automatically replicated to our indexer.

One of those applications had a very long file name and this caused the indexers to fail while processing the issue.

I fixed the issue by modifying the system/local/distsearch.conf on the search head to prevent that application from replicating being replicated.

View solution in original post

0 Karma

chustar
Path Finder

The issue was that all of the applications on the search head were being automatically replicated to our indexer.

One of those applications had a very long file name and this caused the indexers to fail while processing the issue.

I fixed the issue by modifying the system/local/distsearch.conf on the search head to prevent that application from replicating being replicated.

0 Karma

gcusello
Esteemed Legend

HI chustar,
are you sure that all the knowledge objects of your cloned app are shared at App o Global Level?
if you forgot as private some objects like eventtypes or field definitions you didn't copied them in the new app and it doesn't run.
Bye.
Giuseppe

0 Karma

chustar
Path Finder

Yeah, thsoe are being shared globally.

0 Karma

woodcock
Esteemed Legend

It is all in the "how" of "I created a new application". The 2 best ways are from the CLI, tar up an existing app in the apps directory then rename the same app as something else, then untar to put the original back. Then edit the stuff in the cloned app. The next best way is from the GUI on the Search Head: Apps -> Manage apps -> Create app button, then follow the prompts. Just trash your existing one and start over.

0 Karma

chustar
Path Finder

This was due to the replication bundle not syncing. I've updated the question.

0 Karma

sbbadri
Motivator

To resync to can issue this command

splunk resync shcluster-replicated-config

Note: You do not need to restart the member after running this command.

Caution: This command causes an overwrite of the member's entire set of search-related configurations, resulting in the loss of any local changes.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...