Splunk Search
Highlighted

Why isn't my index available for search in a distributed search environment?

Communicator

Hi to everyone

I have a "Distributed Environment", with two indexers, and two search heads.
In the Master Node Indexer, I have an index called ftp, with a lot of data (I want this data available for distributed search). I've deployed "indexes.conf" to "search peers", and I can see the ftp index created in the search peer, but I can't see any data.

What can i do for have this data available for distributed search?

Regards

0 Karma
Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Splunk Employee
Splunk Employee

2 possibilities 1) theres no data in your index (the index is not visible until there are buckets) 2) repFactor=auto wasn't set for the index (that sets the index to be a clustered index, see the indexes.conf.spec file)

see http://answers.splunk.com/answers/170721/why-cant-i-see-non-internal-indexes-in-cluster-mas.html#ans...

View solution in original post

Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Communicator

1) There's a lot of data in my index
2) repFactor is set in my index (SPLUNK_HOME/etc/apps/search)

0 Karma
Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Splunk Employee
Splunk Employee

is it set for the indexers or the cluster master? (it needs to be set on all the indexers)

0 Karma
Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Splunk Employee
Splunk Employee

http://docs.splunk.com/Documentation/Splunk/6.2.5/Indexer/Migratenon-clusteredindexerstoaclustereden...

if its migrated from non-clustering, the old buckets will not replicate

Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Communicator

Yes, you are right, is migrated from non-clustering.

0 Karma
Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Splunk Employee
Splunk Employee

If you're working in a distributed environment, you need to create the index in the Cluster Master, under the master-apps, and then push that to all the cluster members.

Quick way to check this is to validate the existence of the index on all the cluster members. If you created this on one indexer, you're calling the master node, in the GUI under indexes, that wont replicate the index or the buckets to the other indexers.

Highlighted

Re: Why isn't my index available for search in a distributed search environment?

Communicator

And how can i create the index in the Cluster Master under the master-apps?, i've copied the search app folder in the master-apps folder, and then push it, but i think that something is wrong with that.

0 Karma