Splunk IT Service Intelligence

Splunk (Search Head 1) fields extracted is different from (Search Head 2) fields

Oracle
Explorer

Hi Guys,

I am confused right now with the OS nix data that are ingesting right now in our splunk, we have 2 search head btw.

When i search this query "(index=* tag=oshost tag=performance tag=cpu) " on both search head the fields are different. What would be the problem why the fields are different from each other?

Search head 1 Result:
---> The fields on this search head 1 was extracted the way we need it like for E.g (mem used & mem free).

Search head 2 Result:
---> The fields that we are seeing is the splunk default fields like for E.g (host, line count, index, tag). For us to be able to see the same fields on search head 1 we need to add/used "multikv" on our query.

I already checked the tag, eventtype, & user permission that we are using, seems to be fine.

Any suggestions would be appreciated. Thanks,

--
Michael

0 Karma

akocak
Contributor

Technically, same settings from Search head deployer is sent to all search head instances. The way you sounded in your question first reminds me search modes of Splunk: fast, smart and verbose
Are you sure search is made on smart or verbose on both searches ? is it possible second search is made on fast mode ?

if it is not the case:
one thing would be comparing props.conf and transforms.conf on both search heads as well as SH deployer as mentioned.

if this is not the case also, on splunk CLI

    ./splunk cmd btool props list --debug | grep <Field_that_you_are_looking for>

you should look if SH gets setting from same file on each search head. Especially a search head is added to cluster later than initial members, I had couple cases where previous users added some stuff to etc/system/local that conflicts with my changes from search head deployer.
Thanks.

0 Karma

Oracle
Explorer

Hi akocak,

Sorry for the late response
Will try to look the configuration file and get back to you as soon.

Thanks..

0 Karma

deepashri_123
Motivator

Hey@ Oracle,

Try comparing the props.conf and transforms.conf on both the Search Heads.This should help you find where the problem is. You can use btool on both the search heads for comparison.

Let me know if this helps!!

0 Karma

Oracle
Explorer

Hi deeparshri,

Sorry for the late response
Will try to look the configuration file and get back to you as soon.

Thanks..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...