Solved: distributed search both ways?

dhaffner · ‎05-05-2010

Is it possible to have indexer A distribute to indexer B and have B distribute to A? What are the settings for it. Just trying to set it up via the GUI, it all seems OK, but B cannot see any events on A. Thanks for any help!

sideview · ‎05-05-2010

Have you checked whether the same field extractions exist on both servers?

In distributed search the search-time knowledge that gets used is solely on the search head. so if the field extractions/lookups/eventtypes etc are different, you will get different results, and if your search uses one of the missing items, frequently 0 results.

View solution in original post

sideview · ‎05-05-2010

Have you checked whether the same field extractions exist on both servers?

In distributed search the search-time knowledge that gets used is solely on the search head. so if the field extractions/lookups/eventtypes etc are different, you will get different results, and if your search uses one of the missing items, frequently 0 results.

dhaffner · ‎05-06-2010

Perfect! this worked out great! Thank you very much!

gkanapathy · ‎05-05-2010

Yes. You just set it up twice, repeating the steps on each side.

dhaffner · ‎05-05-2010

Any ideas why it doesn't work? We've done it on 2 other indexers with no problems. Where do we start looking?

dhaffner · ‎05-05-2010

That's what we have done, but it is only working one way, not both.

distributed search both ways?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation