Splunk Search

Search Heads in cluster are not able to replicate properly

MousumiChowdhur
Contributor

Hi!

There are 2 search heads in our production cluster. We have implemented Alert Manager app in our SH and it incorporates alert manager specific lookups,Data Models and event types. Some of the functionalities of this app and dashboards are not getting replicated properly in all our search heads. In addition to this we are also facing few scenario's where the dashboards data are not getting replicated properly.

We have increased the distsearch's default size to 3 Gb but still some times we have to face the above issue.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi MousumiChowdhury,
remember that not all the objects are replicated between Search Heads, only the "Knowledge" part (Left Up) of the Settings Panel.
Which functionlities aren't replicated?
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi MousumiChowdhury,
remember that not all the objects are replicated between Search Heads, only the "Knowledge" part (Left Up) of the Settings Panel.
Which functionlities aren't replicated?
Bye.
Giuseppe

0 Karma

MousumiChowdhur
Contributor

Hi,

I'm not able to see few of the dashboard panels data. When a user logs in through DNS and searches for a dashboard, his request hits either of the search heads. If it hits where dashboard or panel data is not replicated, he is not able to see anything in this case. Whereas, If the request hits the SH where data is present, user is able to see data in the dashboard.

0 Karma

MousumiChowdhur
Contributor

Hi Cusello,

I have found that, my lookups are not getting replicated between search heads. On one of my search heads the number of lookups are more than that of the other search head.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Yes this is the result of unallignment of Search Heads.
You should understand which are the Knowledge Objects of Alert Manager App not replicated between SearchHeads.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...