Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search head not working in a cluster

pil321
Communicator
‎01-02-2014 01:32 PM

I've set upt a cluster in a lab environment - replication factor of 2 using RHEL 6.4. All looks good from the master node (all data is searchable, search factor is met, replication factor is met). I'm also using a heavy forwarder. Forwarding to the 2 peers is done on separate ports (9997 and 9998). Receiving from the hosts is on port 9996. Deploymemnt monitor shows the forwarders are up (one heavy and one universal).

When I try to do a search (from the search head), I get a message stating "no results found".

Any ideas?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2014 03:10 PM

The forwarders need to send on the same port as the indexers (peers) receive. Also, you don't need to use different ports on the different indexers. I suggest the following

On each indexer, set the receiving port to 9997.

On each forwarder, set the server in outputs.conf to

server=indexer1:9997,indexer2:9997

On the search head, under distributed search, add each indexer. For this, use the splunkd port (8089 by default).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2014 03:10 PM

The forwarders need to send on the same port as the indexers (peers) receive. Also, you don't need to use different ports on the different indexers. I suggest the following

On each indexer, set the receiving port to 9997.

On each forwarder, set the server in outputs.conf to

server=indexer1:9997,indexer2:9997

On the search head, under distributed search, add each indexer. For this, use the splunkd port (8089 by default).

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-02-2014 01:38 PM

Just to ensure, the indexer is added as search peer in Search Head?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...