Splunk Enterprise

how do I unquarantine a indexer

rewritex
Contributor

 

I've recently had to take an indexer offline while I worked on storage so I ended up putting it into quarantine  until things were resolved. Now that things are resolved, I can't seem the indexer is receive data but I still have the below error within the monitoring console:

"One or more peers has been excluded from the search because they have been quarantined. Use "splunk_server=*" to search these peers. This might affect search performance."

splunk_indexer_quarantined.PNG

 

 

 

My cluster manager now sees both indexers (01 and 02) in this group but the there are still errors suggesting the 02 indexer is still quarantined. The indexer02 was the one quarantined which is now receiving data and shows up in the monitoring console but with  the above error

Any advice on how to unquarantine this indexer or resolve this message?
I've tried to fiddle around with this DOC but I can't seem to find the correct syntax for the indexer
https://docs.splunk.com/Documentation/Splunk/8.0.6/DistSearch/Quarantineasearchpeer

 

Thanks,
Sean

 

 

Labels (3)
0 Karma
1 Solution

rewritex
Contributor

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

View solution in original post

0 Karma

rewritex
Contributor

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you tried on settings -> distributed searches -> search peers? You could find those option there. One thing what you also could try is click node name and reauthenticate it. Then again unquarantine it.
r. Ismo
0 Karma

rewritex
Contributor

Thank you for the reply. This settings area was blank but I ended up having to manually adjust the distsearch.conf file within the master server to remove the server from quarantine. 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!