Splunk Enterprise

Search head not able to send data to the cluster


I have two search heads, which are not clustered, only my indexers are clustered, the search heads are separate.
Both worked fine, but recently I must have misconfigured something (unintenionally obviously), because one of my search heads are not able to send any data to my indexers.
The _internal index doesn't contain any data from my problematic search head, and if I try to write something to a summary index with the command "collect", it also fails.
However, the search head started to create buckets locally to store the _internal index.

I was trying to compare the inputs,outputs.conf files against my working search head, but I haven't found anything.
I'm able to run searches from my problematic one, so it can access the cluster, but can't send any data.

Tags (1)
0 Karma

Revered Legend

Ensure that your search head is configured to forwarder search head data to indexers, as described in below link.


0 Karma


This is the part where I got lost...
I've queried the running config with btool, and there is no tcpout group configured in my search head (the one which works fine), and there is no
server =
option in the outputs.conf at all.

0 Karma


outputs.conf is the one you need to check. See if there is an additional outputs.conf on the problematic search head that is taking precedence.

You can also verify by running btool command to check what configuration is in effect.
./splunk cmd btool outputs list

0 Karma
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...