Splunk Enterprise Security

Why did searches stop returning results after enabling the Distributed Management Console on a Splunk App for Enterprise Security search head?


After enabling the Distributed Management Console on an Enterprise Security (ES) search head, searches stop returning results. The following additional behaviors were also experienced.

  1. Navigation to the Settings menu in the UI is slow but works.
  2. When trying to access the Search UI, Splunk does not respond.
  3. Running a search from the command line does not return results.
  4. The “Scheduled time” value in “Settings > Searches, reports, and alerts” contains dates from the past.
  5. Large gaps in time (more than 24 hours in some cases) were seen in the scheduler.log and splunkd.log files.

Why is this happening?

0 Karma

Splunk Employee
Splunk Employee

Dont run DMC on the same search head as ES. There are some known issues with running DMC on a production SH, and it can effect search distribution.

0 Karma

Splunk Employee
Splunk Employee

The Distributed Management Console (DMC) makes changes to a number of different files. One of which is the addition of search groups in distsearch.conf which will change the way in which searches behave. The configuration documentation contains the following warning.

Important: Except for the case of a standalone, non-distributed Splunk Enterprise deployment, the instance hosting the DMC should not be used as a production search head and should not run any searches unrelated to its function as the DMC.

Also, when enabling the distributed mode of the feature, the user is presented with the following screen.

alt text

The only solution to correct this is to disable DMC on the search head. Instructions for doing this can be found in the documentation.

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...