Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distsearch.conf and other config files overridden after rolling retsart

neeravmathur
Path Finder
‎02-26-2021 02:54 AM

Hi, 

We have 3 search head in a cluster and 3 indexers in non clustered environment. Whenever we do a rolling restart of the SH, the distsearch.conf in etc/system/local and some lookup csv in some of apps change. It does not happen always but very often. Can anyone help in figuring why this happens and what needs to be corrected. There is no other distsearch.conf anywhere on the SH.

 

Thanks for your help....

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-02-2021 08:33 AM

Hi @neeravmathur,

So, I think one of your search heads in the cluster cannot sync with the captain. You can see below document for sync problems;

https://docs.splunk.com/Documentation/Splunk/8.1.2/DistSearch/HowconfrepoworksinSHC#Replication_sync... 

Distributing app via deployer is best practice but I don't think it will help since it will update the files only after apply shcluster-bundle command. The reason I asked this is, a member would have been rejoins to cluster and sync. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-28-2021 02:37 AM

Hi @neeravmathur,

You can check the distsearch.conf file and lookups in your deployer. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

neeravmathur
Path Finder
‎02-28-2021 10:38 PM

Hi @scelikok

Thanks for your reply. The deployer has no such lookup/distearch file copy. So not really sure from where the SH are picking up the file after rolling restart.

Let me ask a different question-If I use the deployer to deploy an app (with distsearch.conf in it) so even if the file in etc/local gets corrupted, the precedence will always be given to the distsearch.conf in etc/apps/...

Will this work??

Thanks,

Neerav

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...