Getting Data In

Why am I seeing "Unable to distribute to peer...because replication was unsuccessful" on an indexer that is not part of an indexer cluster?

jitsinha
Path Finder

For last couple of days I have been receiving following message from Splunk indexer

Unable to distribute to peer named DEV_IDX_01 at uri https://XXXXXXXX.XXXXXXXX.com:8089 because replication was unsuccessful. replicationStatus Failed

Can someone please ut some light from this front??

FYI this indexer is not part of any Index cluster

yannK
Splunk Employee
Splunk Employee

The replication in the message is the "search knowledge bundle replication".
Do not get confused with the indexing cluster replication or the search-head clustering replication.

This is the step before the search, when the search-head synchronize the bundle of all the apps and profiles to send to the indexers to run the search with the same context.

see http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Whatsearchheadssend

Check for errors about bundle size, maybe is it too large. -> you can look at the timeouts in distsearch.conf to increase them
Maybe the indexer is not responsive, or slow

Also look on the indexers on the $SPLUNK_HOME/var/run/searchpeer folder, look if you see recent bundle (and untar bundle). They are at least one per search-head. Check permissions, and if needed move the files/folders aside, and retry to search, a new one should be resent.

jitsinha
Path Finder

Thnkx yannk. FYI I am using Splunk 5.0.5

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

There are a few components that could be causing this. Are your searches to this indexer failing? This could be from search bundles not being distributed because of out of disk space on the indexer..

jitsinha
Path Finder

Yes the searches are failing.
After getting this error for few minutes I don't see any data for any search queries. But after couple of minutes if I search again it populates data based on my search query from search head end.
I checked and I have 53% space left in my indexer.

0 Karma

masonmorales
Influencer

You might want to contact Splunk Support. They will ask you to run ./splunk diag on the indexers in question.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...