Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I seeing "Unable to distribute to peer...because replication was unsuccessful" on an indexer that is not part of an indexer cluster?

jitsinha
Path Finder
‎03-31-2015 06:06 AM

For last couple of days I have been receiving following message from Splunk indexer 

Unable to distribute to peer named DEV_IDX_01 at uri https://XXXXXXXX.XXXXXXXX.com:8089 because replication was unsuccessful. replicationStatus Failed

Can someone please ut some light from this front??

FYI this indexer is not part of any Index cluster

Reply

yannK
Splunk Employee
Splunk Employee
‎04-01-2015 08:13 AM

The replication in the message is the "search knowledge bundle replication".
Do not get confused with the indexing cluster replication or the search-head clustering replication.

This is the step before the search, when the search-head synchronize the bundle of all the apps and profiles to send to the indexers to run the search with the same context.

see http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Whatsearchheadssend

Check for errors about bundle size, maybe is it too large. -> you can look at the timeouts in distsearch.conf to increase them
Maybe the indexer is not responsive, or slow

Also look on the indexers on the $SPLUNK_HOME/var/run/searchpeer folder, look if you see recent bundle (and untar bundle). They are at least one per search-head. Check permissions, and if needed move the files/folders aside, and retry to search, a new one should be resent.

Reply

jitsinha
Path Finder
‎04-01-2015 11:12 PM

Thnkx yannk. FYI I am using Splunk 5.0.5

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎03-31-2015 09:43 PM

There are a few components that could be causing this. Are your searches to this indexer failing? This could be from search bundles not being distributed because of out of disk space on the indexer..

Reply

jitsinha
Path Finder
‎04-01-2015 04:34 AM

Yes the searches are failing.
After getting this error for few minutes I don't see any data for any search queries. But after couple of minutes if I search again it populates data based on my search query from search head end.
I checked and I have 53% space left in my indexer.

0 Karma
Reply

masonmorales
Influencer
‎04-01-2015 08:23 AM

You might want to contact Splunk Support. They will ask you to run ./splunk diag on the indexers in question.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...