Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search head not fetching data properly from search peers

lksridhar
Explorer
‎08-22-2017 04:26 AM

Hi Folks,

We are facing some issue in our environment is search head(6.2) is not fetching data properly from search peers, means we have two search head with different version, SH1 (6.2 version) fetching 3000 event from search peers and SH2(version 6.6) fetching 7000 events from search peer and there is data mismatch between the SH.

We have indexer clustering and standalone indexer, indexer cluster search peer version is 6.2 and standalone indexer version is 6.6

Why the SH1 is not fetching data properly from peers, due to the compatibility between the Splunk version it is not fetching data properly,

Please let me know if i need to change any configuration files changes to fetch the data properly.

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎08-22-2017 11:46 AM

As you have a indexer running 6.6, you'll need to upgrade your 6.2 SH to 6.6 to be in a supported configuration.
Currently your 6.2 SH has problem talking with the 6.6 IDX, which explain the difference in your results.
As a rule of thumb, SH>=IDX version

see http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Distsearchsystemrequirements for more info

0 Karma
Reply

lksridhar
Explorer
‎08-23-2017 03:06 AM

Thanks maraman for the info, we are getting logs properly from standalone indexer which have higher version but not getting proper logs from indexer cluster peer which have same version. is there any cluster issue.

0 Karma
Reply

adonio
Ultra Champion
‎08-22-2017 05:53 AM

try ... | stats count by splunk_server
to see where is the gap exactly.
as rule of thumb, Search Head has to have newer version than Indexer

0 Karma
Reply

lksridhar
Explorer
‎08-22-2017 07:12 AM

Thanks adonio for replay, i checked the query on two different version search head and it is showing different result.

The SH1 (version 6.2) showing total event count less compared to SH2 (version 6.5) and indexer version 6.2.3

what would be the issue, why Total event count showing less in SH1 compared to 6.5 SH2

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...