Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

data on indexers disappeared

gitingua
Communicator
‎10-19-2021 06:16 AM

I have about 10 indexers, a cluster. For some reason my "master node" turned off and when it turned on. my data has disappeared. there were 18 million data, and it became 9 million for what reason could this happen? I can't find anything in the logs. HELP PLS

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2021 06:50 AM

Indexer clusters can continue to function without a Manager Node/Cluster Manager so nothing should have happened to your cluster while the MN/CM was off.

Please tell us more about the problem.  How long was the MN off?  How did you discover your data had "disappeared"?  Where there any changes on the MN or indexers while the MN was off?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gitingua
Communicator
‎10-19-2021 07:10 AM

@richgalloway. Hello ! Thanks for answering. 

SH shows how much data is total and after the master has been turned off and on. I saw that the data was missing 2 times.

I got a message now

Search peer SH has the following message: Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes. Review system health: ensure downstream indexing and/or forwarding are operating correctly.

 

the problem arose after switching off and on the MN

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2021 12:20 PM

I don't trust the Data Summary, but that error message is very telling.  Have you reviewed the system health?  There should be a red dot in the menu bar.  Clicking it will bring up the system health dashboard.  Click on other red icons to get details.  Also, use the Monitoring Console to check on the indexer queues.  Verify the storage system is healthy, too.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gitingua
Communicator
‎10-20-2021 02:49 AM

@richgalloway  how to check the storage system?) Thanks 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2021 08:26 AM

Ideally, it would be sending its logs and metrics to Splunk so would you just need to craft a query to check the state of the storage system.  The details are specific to your environment.

Failing that, you can talk to the admin of the storage system.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...