Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When trying to set up a distributed system, can you help me with the following error?: "Unable to distribute to peer, peer has status=2"

xindeNokia
Path Finder
‎10-23-2018 09:01 AM

distributed system. splunk 7.1.2
one SH + one indexer

In the SH splunkd log:

DistributedPeerManager - Distributed: Unable to distribute to peer ..... using the uri-scheme=https because peer has status=2. Please verify uri-scheme, connectivity to the search peer, that the search peer is up, and an adequate level of system resources are available. See the Troubleshooting Manual for more information.

and it causes search failure.

what does status=2 mean? what might be happening here?

Any help is appreciated!

Reply

bgronvall_splun
Splunk Employee
Splunk Employee
‎05-07-2019 12:49 PM

status=2 is evaluated as "Unstable" and can only be triggered by the following two conditions.

  1. There is a time skew between the SH and Search Peer.
  2. The indexer is oversubscribed and rate at which it returns results is inconsistent with the other search peers.
0 Karma
Reply

xindeNokia
Path Finder
‎11-02-2018 08:31 AM

Just want to posted how we solved this issue in case other ppl see this issue as well - still on-going but less frequent

we suspect this is due to workload on indexer is too heavy. we dont have heavy forwarder in btw.
after we fixed couple of parsing issues on indexer. connection issue gets better.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-07-2019 05:05 PM

Please do click Accept on your answer.

0 Karma
Reply

cybermonday
Explorer
‎07-30-2019 08:05 AM

You may want to revisit and ensure that right port used in your deployment.

Sometimes admin in config rush make mistake by sending logs to indexer on port 8089 instead of 9997 which is enough overwhelm the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...