Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Show Source when multiple splunk_servers index the same file

mslvrstn
Communicator
‎04-18-2011 08:23 AM

We have a file being monitored, and the default output is a round-robin to four indexers.
The results show up just fine, but when you click on Show Source for an event, only the events indexed by the same splunk_server are displayed. Is there a way to get Show Source to display all of the events as they originally appeared in the log file, regardless of which server indexed them?

Tags (1)
Reply

mamaral
Path Finder
‎04-18-2011 12:50 PM

I have almost the same environment as yours and here everything works fine! Any splunk forwarders, four indexers and two search heads; So, that file you are indexing, is it in the same location in all forwarders ?

0 Karma
Reply

mslvrstn
Communicator
‎04-18-2011 02:49 PM

In your setup, when you look at one source from one host, how many splunk_servers do you see? In the event viewer, pick two adjacent events that are reasonably close in time but have different splunk_servers. When you do a Show Source on one of those events, can you see the other event in the resulting log output?

0 Karma
Reply

mslvrstn
Communicator
‎04-18-2011 02:47 PM

To be clear, I am talking about the monitoring of a single file on a single forwarder. As the file grows, the autoLB will switch (every 7 seconds, in your case) which indexer sees chunks of that same file. The distributed search then returns results from all the indexers, but show source on one event in the eventviewer only shows source events from the same indexer that saw the original event.

0 Karma
Reply

mamaral
Path Finder
‎04-18-2011 12:33 PM

Have you configured the distributed search on your search head ?

0 Karma
Reply

mslvrstn
Communicator
‎04-18-2011 12:41 PM

Yes, as I said, the events show up correctly in the event viewer, being pulled in from all indexers.

The issue only shows up when you try to Show Source. In that case, only the events indexed by the same indexer as the selected event appear in the Show Source window. The behavior is somewhat understandable, but not really desirable; the whole point of Show Source is to display the original context of the event.

0 Karma
Reply

mamaral
Path Finder
‎04-18-2011 12:16 PM

Hi, the best way is use load balance in the splunk forwarder instead round-robin.
Try that:

[tcpout:LB_forwarders]
autoLB=true
server=<IP_SERVER_A>:8089,<IP_SERVER_B>:8089,<IP_SERVER_C>:8089,<IP_SERVER_D>:8089
autoLBFrequency=7

[tcpout]
defaultGroup=LB_forwarders
disabled=false
0 Karma
Reply

mslvrstn
Communicator
‎04-18-2011 12:24 PM

Sorry if I wasn't clear, but yes, that is what I'm doing.
I think of autoLB as round-robin, but I should have used the proper vernacular.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...