...n the "Bestpractice: Forwardsearchheaddatatotheindexerlayer (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Forwardsearchheaddata) documentation step 1. which states:
Make s...
Hello, I have an architecture with a single SH and two indexers. I've installed the Splunk for Microsoft 365 add-on on thesearchhead, so the collected logs are stored in thesearchhead's index, b...
...index. Additionally thesearchhead complains that it received an event for an unconfigured/disabled/deleted index=foo like it is attempting to write thedata locally.
What do I need to do tothe...
...is waiting for input" message.
I didn't register indexers tothe distributed search peers of DMC because theindexers are clustered.
I didn't embed DMC function in cluster master.
By the w...
...nvironment with one searchhead, two clustered indexers, a Deployment Server/Cluster Master and a Heavy Forwarder.
When I look at the _internal index from theSearchHead, I see data from all of the h...
I need details about what to validate after the upgrade so I know it was successful. How can I tell that everything got upgraded correctly, and that the system is healthy and ready to go?
I need details about what to check before I upgrade so I know if my deployment is ready to upgrade. What do I monitor, and how do I benchmark system health before the upgrade?
...p a monitoring console on the license master and changed it to distributed mode.
I can see my indexers there, but I don't see my searchheads.
I followed the documentation and went to S...
I'm seeing some curious behavior our of two of my heavy forwarders. They aren't reporting data into _internal, but I am seeing app data from things I have installed on them. I checked out the logs o...