...ow though the search is working but when we try to enable any one or all three disabled search peers the search head again gets freeze and no searchworks.
I have tried restarting the search head a...
...unction on the search heads. However, if you run the same search on the Indexer or Deployer UI, the extractions work just fine
KV_MODE = xml is set in props.conf for the relevant sourcetype. Btool o...
...dexers. On the search head: The full message in splunkd.log is: "Global key files are invalid. This server cannot distribute searches to other servers." In Settings » Distributedsearch...
I can get this app to work fine, if I'm running in locally on an indexer. But not from a distributedsearch head.
index=_internal | decrypt field=sourcetype hex() emit('sourcetype')
C...
Per my knowledge, the subsearch result would be acted as parameter to the main search. In the distributedsearch, would the subsearch result first be consolidated in the search head and then f...
I have this defined in an app on the search head:
In pops.conf:
[bigip-syslog]
TRANSFORMS-null = setnull-f5-probes
REPORT-f5-fields = f5-fields
In transforms.conf:
[setnull-f5-p...
...an have
My question is, how does this workin a distributed environment?
Imagine I have two search heads, and users load-balanced between them. Both search heads distribute to the same farm of 1...
...as about 1200 MB on average.
Due to this change, I became unaware of how the distributedsearchworks when using the dashboard base search function.
Someone, could you tell me?
Hi,
We have 10 sites each with their own splunk server (search head, indexer etc). Each is collecting the same information and has the same index names. I want to run a distributedsearch q...
...essage
however the requesttype field is never extracted and does not show up in the available fields dialog with the following search:
sourcetype=jsonLogs
Including the field in the search...