Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how do I unquarantine a indexer

rewritex
Contributor
‎10-12-2020 03:46 PM

 

I've recently had to take an indexer offline while I worked on storage so I ended up putting it into quarantine  until things were resolved. Now that things are resolved, I can't seem the indexer is receive data but I still have the below error within the monitoring console:

"One or more peers has been excluded from the search because they have been quarantined. Use "splunk_server=*" to search these peers. This might affect search performance."

splunk_indexer_quarantined.PNG

 

 

 

My cluster manager now sees both indexers (01 and 02) in this group but the there are still errors suggesting the 02 indexer is still quarantined. The indexer02 was the one quarantined which is now receiving data and shows up in the monitoring console but with  the above error

Any advice on how to unquarantine this indexer or resolve this message?
I've tried to fiddle around with this DOC but I can't seem to find the correct syntax for the indexer
https://docs.splunk.com/Documentation/Splunk/8.0.6/DistSearch/Quarantineasearchpeer

 

Thanks,
Sean

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rewritex
Contributor
‎10-16-2020 10:00 AM

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rewritex
Contributor
‎10-16-2020 10:00 AM

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-12-2020 09:46 PM
Have you tried on settings -> distributed searches -> search peers? You could find those option there. One thing what you also could try is click node name and reauthenticate it. Then again unquarantine it.
r. Ismo
0 Karma
Reply
Solved! Jump to solution

rewritex
Contributor
‎10-16-2020 10:02 AM

Thank you for the reply. This settings area was blank but I ended up having to manually adjust the distsearch.conf file within the master server to remove the server from quarantine. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...