Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- what happens to the data forwarded to indexer when...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker12er
Motivator
10-01-2015
02:07 AM
Sample Warning Message:
Search peer 10.0.1.1 has the following message: received event for unconfigured/disabled/deleted index='Index-A' with source='10.3.0.97.log' host='host::device1' sourcetype='sourcetype::cisco' (1 missing total)
- conditions:
out if 4 indexers , 2 indexers alone have "Index-A" index,. where the other 2 indexers do not have that index.
My splunk forwarder (heavy) is set to auto_lb to all the 4 indexers.
- queries:
In this case, whether the data sent from splunk forwarder to those indexers will be lost ? - For sure this wont happen(I assume , as TCP doesn't send ack , no data transfer further - am i right here?!)
or since splunkd doesn't accept the data , as the index is not present , the data is bounced back to the other indexers ? auto_lb ? How do splunk handle this?
please advise.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-01-2015
02:18 AM
Hi splunk12er,
if the events hit an indexer where the index is not present, it will not be stored (it is lost in your words) and the message is shown. Splunk will not bounce it back to any other indexer.
You have to take care that each index which is defined in your inputs, is available on each indexers if you're using auto-lb or setup the UF to only forward to the two indexers which hold the index.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
10-01-2015
02:18 AM
Hi splunk12er,
if the events hit an indexer where the index is not present, it will not be stored (it is lost in your words) and the message is shown. Splunk will not bounce it back to any other indexer.
You have to take care that each index which is defined in your inputs, is available on each indexers if you're using auto-lb or setup the UF to only forward to the two indexers which hold the index.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker12er
Motivator
10-24-2015
11:45 PM
Thanks. this information is helpful.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
