Splunk Enterprise

how do I unquarantine a indexer

rewritex
Contributor

 

I've recently had to take an indexer offline while I worked on storage so I ended up putting it into quarantine  until things were resolved. Now that things are resolved, I can't seem the indexer is receive data but I still have the below error within the monitoring console:

"One or more peers has been excluded from the search because they have been quarantined. Use "splunk_server=*" to search these peers. This might affect search performance."

splunk_indexer_quarantined.PNG

 

 

 

My cluster manager now sees both indexers (01 and 02) in this group but the there are still errors suggesting the 02 indexer is still quarantined. The indexer02 was the one quarantined which is now receiving data and shows up in the monitoring console but with  the above error

Any advice on how to unquarantine this indexer or resolve this message?
I've tried to fiddle around with this DOC but I can't seem to find the correct syntax for the indexer
https://docs.splunk.com/Documentation/Splunk/8.0.6/DistSearch/Quarantineasearchpeer

 

Thanks,
Sean

 

 

Labels (3)
0 Karma
1 Solution

rewritex
Contributor

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

View solution in original post

0 Karma

rewritex
Contributor

I had to remove the entries in the $SPLUNK_HOME/etc/system/local/distsearch.conf within the master server and restarted. I then went into the monitoring console -> Settings -> enabled the indexer -> corrected the roll to only-indexer -> applied changes. Now the monitoring console  looks good.

[distributedSearch]
disabled = 0
disabled_servers = https://<server01>:8089 <---- Removed this
quarantined_servers = https://<server01>:8089 <---- Removed this

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you tried on settings -> distributed searches -> search peers? You could find those option there. One thing what you also could try is click node name and reauthenticate it. Then again unquarantine it.
r. Ismo
0 Karma

rewritex
Contributor

Thank you for the reply. This settings area was blank but I ended up having to manually adjust the distsearch.conf file within the master server to remove the server from quarantine. 

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...