Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how do I unquarantine a indexer

rewritex
Contributor
‎10-12-2020 03:46 PM

 

I've recently had to take an indexer offline while I worked on storage so I ended up putting it into quarantine  until things were resolved. Now that things are resolved, I can't seem the indexer is receive data but I still have the below error within the monitoring console:

"One or more peers has been excluded from the search because they have been quarantined. Use "splunk_server=*" to search these peers. This might affect search performance."

splunk_indexer_quarantined.PNG

 

 

 

My cluster manager now sees both indexers (01 and 02) in this group but the there are still errors suggesting the 02 indexer is still quarantined. The indexer02 was the one quarantined which is now receiving data and shows up in the monitoring console but with  the above error

Any advice on how to unquarantine this indexer or resolve this message?
I've tried to fiddle around with this DOC but I can't seem to find the correct syntax for the indexer
https://docs.splunk.com/Documentation/Splunk/8.0.6/DistSearch/Quarantineasearchpeer

 

Thanks,
Sean

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rewritex
Contributor
‎10-16-2020 10:00 AM

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rewritex
Contributor
‎10-16-2020 10:00 AM

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-12-2020 09:46 PM
Have you tried on settings -> distributed searches -> search peers? You could find those option there. One thing what you also could try is click node name and reauthenticate it. Then again unquarantine it.
r. Ismo
0 Karma
Reply
Solved! Jump to solution

rewritex
Contributor
‎10-16-2020 10:02 AM

Thank you for the reply. This settings area was blank but I ended up having to manually adjust the distsearch.conf file within the master server to remove the server from quarantine. 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...