Splunk Enterprise

In searchhead cluster with six machines, only one SH machine is not giving results for a particular app.

Reethika
Path Finder

In searchhead cluster with six machines, only one SH machine is not giving results for a particular app.

We have checked right corner>help>about>server.
 
All 5 other SH's giving results for this dashboard, except one.
 
Could anyone suggest with some troubleshooting?
 
I have cross-checked app config, among SHM 
 
Thanks.
Tags (2)

Reethika
Path Finder
The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute.' for master=https://************************ : 8089.
 
This is the  error I see on that particular SH 
0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

Make sure to have "site = <site>"  you can compare the server.conf with working SHs.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the multisite attribute is set in the server.conf files on your search heads.

---
If this reply helps you, an upvote would be appreciated.

Reethika
Path Finder
[clustering]
master_uri = https://1*****************:8089
mode = searchhead
multisite = true
pass4SymmKey=*******************
 
Multisite is true
0 Karma

Reethika
Path Finder

It's an Enterprise security app,  And a particular dashboard "Incident Review" is give error as "Search did not return any events." on one SH.

On other searchhead we are getting results. 

 

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

What do you get on the GUI for the search. Do you find any error on the screen?

Is the search head able to do any searches but the search in question? Check the job inspector .

richgalloway
SplunkTrust
SplunkTrust

What is the app?  What is it supposed to be doing?  Is it enabled on all SHs?  What are the expected results?  Have you checked the logs?

---
If this reply helps you, an upvote would be appreciated.

Reethika
Path Finder

@richgalloway @anilchaithu  @sylim_splunk 

Can you please help

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on