Splunk Enterprise

In searchhead cluster with six machines, only one SH machine is not giving results for a particular app.

Reethika
Path Finder

In searchhead cluster with six machines, only one SH machine is not giving results for a particular app.

We have checked right corner>help>about>server.
 
All 5 other SH's giving results for this dashboard, except one.
 
Could anyone suggest with some troubleshooting?
 
I have cross-checked app config, among SHM 
 
Thanks.
Tags (2)

Reethika
Path Finder
The searchhead is unable to update the peer information. Error = 'Master has multisite enabled but the search head is missing the 'multisite' attribute.' for master=https://************************ : 8089.
 
This is the  error I see on that particular SH 
0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

Make sure to have "site = <site>"  you can compare the server.conf with working SHs.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the multisite attribute is set in the server.conf files on your search heads.

---
If this reply helps you, Karma would be appreciated.

Reethika
Path Finder
[clustering]
master_uri = https://1*****************:8089
mode = searchhead
multisite = true
pass4SymmKey=*******************
 
Multisite is true
0 Karma

Reethika
Path Finder

It's an Enterprise security app,  And a particular dashboard "Incident Review" is give error as "Search did not return any events." on one SH.

On other searchhead we are getting results. 

 

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

What do you get on the GUI for the search. Do you find any error on the screen?

Is the search head able to do any searches but the search in question? Check the job inspector .

richgalloway
SplunkTrust
SplunkTrust

What is the app?  What is it supposed to be doing?  Is it enabled on all SHs?  What are the expected results?  Have you checked the logs?

---
If this reply helps you, Karma would be appreciated.

Reethika
Path Finder

@richgalloway @anilchaithu  @sylim_splunk 

Can you please help

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...