- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: When searching via REST API in a distributed s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hallo,
I have a setup with 2 indexers and a dedicated search head; the indexes.conf file is defined only on the indexers (they are configured as deployment clients with the search head as the deployment server in order to simplify the administration of the settings).
Searching via REST API always returns error message "supplied index 'p_uno' missing". According to this:
https://answers.splunk.com/answers/334974/rest-api-receiverssimple-supplied-index-missing.html
the solution would be to define the indexes also on the search head, i.e. the indexes.conf from the deployment class directory should be copied in etc/system/local.
The question is, how can I stop the search head from saving locally the indexed data, when the indexes.conf file gives also the physical paths pro index?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you set up the indexers as search peers to the search head? It sounds like your search head is only search itself, but it does not have any data.
Have you followed all the steps here: http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/Configuredistributedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you set up the indexers as search peers to the search head? It sounds like your search head is only search itself, but it does not have any data.
Have you followed all the steps here: http://docs.splunk.com/Documentation/Splunk/6.3.3/DistSearch/Configuredistributedsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
curl -ku user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search 2016/02/26 03:00:01,some_search_string" -d output_mode=csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly, und according to one question I found here (the link is in my OP) the indexes should be defined also on the indexer (which isn't, in my case)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What REST endpoint are you accessing? Can you post your full request? The Splunk answer you lined to is talking about a data input, not a search.
Also can you clarify - in your last comment you said that the index p_uno is NOT defined on your indexers. But in your question you said it is ONLY defined on your indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, my fault, I have thought search head and wrote indexers
the indexes are defined ONLY on the indexers and not on the searchhead
curl -k -u user:pass "https://searchhead:8089/services/receivers/simple?source=www&sourcetype=web_event&index=p_uno" -d "2016/02/26 03:00:01,some_random_string,0,2367,84032"
answer
<msg type="WARN">supplied index 'p_uno' missing</msg>
answer for index main works
<result>
<field k="_index">
<value>
<text>main</text>
</value>
</field>
<field k="bytes">
<value>
<text>60</text>
</value>
</field>
<field k="host">
<value>
<text>10.134.222.99</text>
</value>
</field>
<field k="source">
<value>
<text>www</text>
</value>
</field>
<field k="sourcetype">
<value>
<text>web_event</text>
</value>
</field>
</result>
basically he doesn't find the p_uno on the searchhead, because the searchhead doesn't have the indexes defined
what happens if I copy the indexes.conf on the searchhead ? will it also save/store data locally ?
thanks for your patience
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see - why not use the rest endpoint on the indexer? Then you don't need to create the index on the search head
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose you mean
curl -ku user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search 2016/02/26 03:00:01,some_search_string" -d output_mode=csv
this "spreads" the search across the indexers and gives all available results (see below)
many many thanks
"_serial","_time",source,sourcetype,host,index,"splunk_server","_raw"
0,"2016-02-26 03:00:01.000 CET",www,"web_event","10.104.176.7","p_uno","splunk01-indexer","2016/02/26 03:00:01,some_search_string"
0,"2016-02-26 03:00:01.000 CET",www,"web_event","10.104.176.7","p_uno","splunk02-indexer","2016/02/26 03:00:01,some_search_string"
1,"2016-02-26 03:00:01.000 CET",www,"web_event","10.104.176.7","p_uno","splunk02-indexer","2016/02/26 03:00:01,some_search_string"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, the indexers are configured as distributed search peers and they are working; the forwarders are configured to send data only to the indexers and the searchhead reads the data (correctly) from both
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So searching from web UI works but searching from the API fails?
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
