Introspection

SN1

Hello I am running search
index=_introspection
dedup host
table host

in result i am not able to see one indexer and one search head while other indexers and sh are visible .

livehybrid

Hi @SN1

If you look further back, when was the last event?
Have a look using this search looking back at least to the time of the last event from the missing servers.

| tstats latest(_time) as _time where index=_introspection by host

Then run the search 5-10 minutes later. Are the times of the last events different for the missing host? If so this would suggest that they are having issues sending logs and that they are delayed, rather than not sending at all.

In addition it would be worth checking the Splunk log of the missing host directly, check out $SPLUNK_HOME/var/log/splunk/splunkd.log - are there any references to blocking or output errors?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

kiran_panchavat

@SN1

There should be a message in splunkd.log explaining the problem.

index=_internal source=*splunkd.log

Check that there is enough storage on the volume containing the introspection index.

Also, confirm no one turned off introspection. See

https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF#Disable_logging

If the missing hosts haven’t reported data recently, they might not appear depending on the default time range (e.g., last 24 hours). Expand the time range in the UI or add earliest=-30d (or further back) to your search

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

kiran_panchavat

@SN1

If you run this search, how many peers return count?

index=_internal earliest=-5m@m | stats count by splunk_server

This should give responses from all your indexers, and if you have your SH / Component boxes configured to forward their internal logs, those also.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

kiran_panchavat

@SN1

Check if the missing indexer and search head are online and Splunk is running on them. You can SSH into those servers and run splunk status to verify.

Are you able to see all the instances in the Monitoring console?

This could happen if:

The hosts are down or disconnected.
The Splunk instance on those hosts is not running.
There’s a network issue preventing data from being forwarded.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

SN1

i am getting this error on health check

Root Cause(s):
- Events from tracker.log have not been seen for the last 238401 seconds, which is more than the red threshold (210 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.

kiran_panchavat

@SN1

The _introspection index in Splunk is part of the "Platform Instrumentation" features, which collect information about your systems running Splunk to help diagnose performance issues.

What does platform instrumentation log? - Splunk Documentation

Introspection endpoint descriptions - Splunk Documentation

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Introspection

other

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk