Splunk Enterprise

Search head not able to send data to the cluster


I have two search heads, which are not clustered, only my indexers are clustered, the search heads are separate.
Both worked fine, but recently I must have misconfigured something (unintenionally obviously), because one of my search heads are not able to send any data to my indexers.
The _internal index doesn't contain any data from my problematic search head, and if I try to write something to a summary index with the command "collect", it also fails.
However, the search head started to create buckets locally to store the _internal index.

I was trying to compare the inputs,outputs.conf files against my working search head, but I haven't found anything.
I'm able to run searches from my problematic one, so it can access the cluster, but can't send any data.

Tags (1)
0 Karma

Revered Legend

Ensure that your search head is configured to forwarder search head data to indexers, as described in below link.


0 Karma


This is the part where I got lost...
I've queried the running config with btool, and there is no tcpout group configured in my search head (the one which works fine), and there is no
server =
option in the outputs.conf at all.

0 Karma


outputs.conf is the one you need to check. See if there is an additional outputs.conf on the problematic search head that is taking precedence.

You can also verify by running btool command to check what configuration is in effect.
./splunk cmd btool outputs list

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...