Splunk Dev

How could i find the reason or cause of indexer down ?

kartm2020
Communicator

I just need to find the reason of indexer down in splunk

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kartm,
it's very difficoult to understand what's happened without any info.
Anyway, start to see Splunk logs ($SPLUNK_HOME/var/log/splunk/splunkd.log or if there's a crash log.
then try to restart Splunk using console so you can see start-up messages and understand if there are error messages.
Ciao.
Giuseppe

0 Karma

soumyasaha25
Contributor

you can start off by looking at splunkd logs (index=_internal source=*splunkd.log) and also look at /var/log/messages and look for events around the time the indexer went down.

0 Karma

kartm2020
Communicator

Thank you. May i know what is the exact error message that comes in splunkd.log? Give me some sample output. it will help me a lot

0 Karma

soumyasaha25
Contributor

it is quite difficult to tell the exact message that splunk will throw when an indexer goes down since it might go down for a variety of factors (maybe the disk/memory/cpu utilization had spiked), but you should be able to figure it out from the splunkd logs just look into the error logs (index=_internal source=*splunkd.log log_level=ERROR host=).

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...