Installation

distributed search issue - duplicate licenses

castle1126
Communicator

Hi all,

My old, primary Splunk indexer/search head is being retired (v4.1.4). In its place is 4 new indexing servers that are carrying the indexing load for me (all running v4.1.5). Each of these 4 systems were built from scratch, with indexes.conf being moved to them.

I'm trying to set this old server to be a search head for the new systems, allowing it to run some scheduled searches this weekend before we retire the server. When I add the search peers to the old system via the GUI, they all go in nicely without complaint. When I log back into the old server's GUI again I get this message on the top of my browser:

Unable to distribute to peer named xxx at uri https://xxxx:8089 because peer has status = "Duplicate License".

When I look at Manager->Distributed search-> Search Peers I see the 4 peers showing a status of "duplicate license".

I've dug around through logs on all systems and nothing pops out as being in error, etc.

Any ideas?

1 Solution

ftk
Motivator

Sounds like you still have your old license installed on your old indexer/new search head, and you used the same license at one (or all?) of the new indexers.

At the search head you want to change the license to the Forwarder license (as long as it doesn't do any indexing) and your troubles will go away.

View solution in original post

ftk
Motivator

Sounds like you still have your old license installed on your old indexer/new search head, and you used the same license at one (or all?) of the new indexers.

At the search head you want to change the license to the Forwarder license (as long as it doesn't do any indexing) and your troubles will go away.

castle1126
Communicator

That was it! I thought I had changed licenses prior to setting up distributed searches but didn't. Thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...