Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When trying to set up a distributed system, can you help me with the following error?: "Unable to distribute to peer, peer has status=2"

xindeNokia
Path Finder
‎10-23-2018 09:01 AM

distributed system. splunk 7.1.2
one SH + one indexer

In the SH splunkd log:

DistributedPeerManager - Distributed: Unable to distribute to peer ..... using the uri-scheme=https because peer has status=2. Please verify uri-scheme, connectivity to the search peer, that the search peer is up, and an adequate level of system resources are available. See the Troubleshooting Manual for more information.

and it causes search failure.

what does status=2 mean? what might be happening here?

Any help is appreciated!

Reply

bgronvall_splun
Splunk Employee
Splunk Employee
‎05-07-2019 12:49 PM

status=2 is evaluated as "Unstable" and can only be triggered by the following two conditions.

  1. There is a time skew between the SH and Search Peer.
  2. The indexer is oversubscribed and rate at which it returns results is inconsistent with the other search peers.
0 Karma
Reply

xindeNokia
Path Finder
‎11-02-2018 08:31 AM

Just want to posted how we solved this issue in case other ppl see this issue as well - still on-going but less frequent

we suspect this is due to workload on indexer is too heavy. we dont have heavy forwarder in btw.
after we fixed couple of parsing issues on indexer. connection issue gets better.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-07-2019 05:05 PM

Please do click Accept on your answer.

0 Karma
Reply

cybermonday
Explorer
‎07-30-2019 08:05 AM

You may want to revisit and ensure that right port used in your deployment.

Sometimes admin in config rush make mistake by sending logs to indexer on port 8089 instead of 9997 which is enough overwhelm the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...