Solved: Indexing stopped: Why is there an error on SH mess...

ankurborah · ‎05-18-2022

Getting below error message on SH message box:

Search peer <Indexer_host> has the following message: Problem replicating config (bundle) to search peer ' <ip_deployment_server>:8089 ',
Upload bundle="/opt/splunk/var/run/236039B4-5D5D-4138-A083-DE21022C7678-16566.bundle" to peer name=<deployment_server> uri=https://192.210.0.6:8089
failed; error="Read Timeout".

ankurborah · ‎05-18-2022

Thanks for the help GC,

Able to find the issue.

This issue was caused due to the deployment server added as a search peer and it was not able to take the load as it was trying to replicate all the searches and files, hence i had to remove the configuration, which fixed the issue.

View solution in original post

gcusello · ‎05-18-2022

Hi @ankurborah,

the message says that there's a replication issue from the Deployment Server to an Indexer,

but what's your architecture?

how many Indexers are in you architecture?

why are you managing them by Deployment Server?

Ciao.

Giuseppe

ankurborah · ‎05-18-2022

Arhitecture is:

4 Indexers,3 SH's, Cluster master, deployment server, deployer and a few HF's.

Not understand "why are you managing them by Deployment Server?"

gcusello · ‎05-18-2022

Hi @ankurborah,

the message you shared says that the Deployment Server cannot send a bundle to a search peer,

maybe, for an error, one Indexers is in the list of the servers managed by the Deployment Server and this isn't correct because Indexers must be managed by the Master Node (or Cluster Master).

Ciao.

Giuseppe.

ankurborah · ‎05-18-2022

My mistake. It is not indexer it is one of the serach_head. correct error message is below:

Search peer <search_head> has the following message: Problem replicating config (bundle) to search peer ' <ip_deployment_server>:8089 ',
Upload bundle="/opt/splunk/var/run/236039B4-5D5D-4138-A083-DE21022C7678-16566.bundle" to peer name=<deployment_server> uri=https://192.210.0.6:8089
failed; error="Read Timeout".

gcusello · ‎05-18-2022

Hi @ankurborah,

it's the same thing: Search Heads cannot be managed by Deployment Server but only by Deployer.

Are you sure that the Search isn't in the list of the hosts managed by the Deployment Server?

Splunk Clusters (SHs or IDXs) have their own management machine (Deployer or Master Node) and Deployment Server cannot be used for this.

Ciao.

Giuseppe

ankurborah · ‎05-18-2022

Thanks for the help GC,

Able to find the issue.

This issue was caused due to the deployment server added as a search peer and it was not able to take the load as it was trying to replicate all the searches and files, hence i had to remove the configuration, which fixed the issue.

gcusello · ‎05-18-2022

Hi @ankurborah,

good for you, see next time

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Indexing stopped: Why is there an error on SH message box?

Other

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]