Splunk Enterprise

Index Not Search by default on Search Head

shangshin
Builder

I have a cluster of 2 peers, 1 master and one search head using splunk version 6. The 2 indexers receive logs sending from forwarders. Assuming the index name is accees_log and it was sent from host name apachehost123.

I am able to perform search and get results using either index=accees_log OR host=apachehost123 in the 2 search peers. However, the search result is empty on the search head or master unless I use index=accees_log

I checked the listbox in "Indexes searched by default" for the search head but the index -- access_log is not displayed in the listbox.

Please advise where it could be wrong.

Thanks in advance!

Tags (3)

dwaddle
SplunkTrust
SplunkTrust

When you are defining roles in the Splunk Manager UI, the list of "Indexes searched by default" only includes indexes defined on the instance of Splunk running manager. (In your case, that would be the search head).

A search head really does not know what indexes exist at a given indexer until it dispatches a search.

You should define the union of all of the indexes on all of your indexers on your search head. The indexes will never store anything, but their existence will make them appear in the Manager panels and will enable typeahead for "index="

shangshin
Builder

I tried to set up the cluster again using splunk 6. The list of "Indexes searched by default" on the search head is NOT updated consistently with the search peer.

So it's because of the splunk version.

0 Karma

shangshin
Builder

To prove the theory. I rebuilt another cluster using version 5. The list of "Indexes searched by default" on the search head is updated consistently with the search peer.

I will do more experiment to verify if this is an issue on splunk 6.

0 Karma

shangshin
Builder

Thanks for the reply.
I have another cluster using splunk version 5. The list of "Indexes searched by default" on the search head is automatically updated when a new index is created on the indexers. I really don't think the index needs to be manually updated on the search head when there is an index modification on the indexers.

0 Karma

somesoni2
Revered Legend

and similarly, a local instance of the index will be required in case you plan to have summary indexing (scheduled search to be configured on Search Head).

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...