Hi to everyone
I have a "Distributed Environment", with two indexers, and two search heads.
In the Master Node Indexer, I have an index called ftp, with a lot of data (I want this data available for distributed search). I've deployed "indexes.conf" to "search peers", and I can see the ftp index created in the search peer, but I can't see any data.
What can i do for have this data available for distributed search?
2 possibilities 1) theres no data in your index (the index is not visible until there are buckets) 2) repFactor=auto wasn't set for the index (that sets the index to be a clustered index, see the indexes.conf.spec file)
1) There's a lot of data in my index
2) repFactor is set in my index (SPLUNK_HOME/etc/apps/search)
is it set for the indexers or the cluster master? (it needs to be set on all the indexers)
If you're working in a distributed environment, you need to create the index in the Cluster Master, under the master-apps, and then push that to all the cluster members.
Quick way to check this is to validate the existence of the index on all the cluster members. If you created this on one indexer, you're calling the master node, in the GUI under indexes, that wont replicate the index or the buckets to the other indexers.
And how can i create the index in the Cluster Master under the master-apps?, i've copied the search app folder in the master-apps folder, and then push it, but i think that something is wrong with that.