Splunk Enterprise

Index Not Search by default on Search Head

shangshin
Builder

I have a cluster of 2 peers, 1 master and one search head using splunk version 6. The 2 indexers receive logs sending from forwarders. Assuming the index name is accees_log and it was sent from host name apachehost123.

I am able to perform search and get results using either index=accees_log OR host=apachehost123 in the 2 search peers. However, the search result is empty on the search head or master unless I use index=accees_log

I checked the listbox in "Indexes searched by default" for the search head but the index -- access_log is not displayed in the listbox.

Please advise where it could be wrong.

Thanks in advance!

Tags (3)

dwaddle
SplunkTrust
SplunkTrust

When you are defining roles in the Splunk Manager UI, the list of "Indexes searched by default" only includes indexes defined on the instance of Splunk running manager. (In your case, that would be the search head).

A search head really does not know what indexes exist at a given indexer until it dispatches a search.

You should define the union of all of the indexes on all of your indexers on your search head. The indexes will never store anything, but their existence will make them appear in the Manager panels and will enable typeahead for "index="

shangshin
Builder

I tried to set up the cluster again using splunk 6. The list of "Indexes searched by default" on the search head is NOT updated consistently with the search peer.

So it's because of the splunk version.

0 Karma

shangshin
Builder

To prove the theory. I rebuilt another cluster using version 5. The list of "Indexes searched by default" on the search head is updated consistently with the search peer.

I will do more experiment to verify if this is an issue on splunk 6.

0 Karma

shangshin
Builder

Thanks for the reply.
I have another cluster using splunk version 5. The list of "Indexes searched by default" on the search head is automatically updated when a new index is created on the indexers. I really don't think the index needs to be manually updated on the search head when there is an index modification on the indexers.

0 Karma

somesoni2
Revered Legend

and similarly, a local instance of the index will be required in case you plan to have summary indexing (scheduled search to be configured on Search Head).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...