×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
CableB0y
Engager
Member since: ‎06-26-2020
‎07-01-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-26-2020
View All

Re: Unable to see all indexers by default.

by in Deployment Architecture
‎07-01-2020 09:44 AM
‎07-01-2020 09:44 AM
I think you're 100% correct. I made the change in the UI originally but was prevented from adding the hostname of the SH, so I ended up making the change on the SH distsearch.conf file last week, restarted, and it seems to be working correctly now. I think we'll likely discuss moving the searchhead off the IDX, but appreciate the assistance in the interim! ... View more

Re: Unable to see all indexers by default.

by in Deployment Architecture
‎07-01-2020 04:40 AM
‎07-01-2020 04:40 AM
Hey thanks for the reply! I checked and it doesn't look like forwarding is configured. I'm assuming based on the configuration that this will send all logs including internal logs to our other Splunk indexers, and I'm wondering what constraints that would have on bandwidth since some indexers are geographically separated. I was able to fix the issue temporarily by modifying distsearch.conf on the search head to include an entry for localhost, but again, this was because the GUI wouldn't accept the hostname of the searchhead, so I'm thinking this is a poor long term solution. ... View more

Unable to see all indexers by default.

by in Deployment Architecture
‎06-26-2020 07:42 PM
‎06-26-2020 07:42 PM
I've recently started a new job, of which one of my duties is to take over managing splunk from the previous administrator who left short notice. I've got SOME lab knowledge of splunk, and have been a user, but never an administrator so I'm not really sure if we're meeting best practice with this current architecture. Our current design is 1 x (SearchHead/Indexer), and three search peers, all of which are configured within 'Distributed Search -> Search Peers'. The problem is that whenever I search any events, I only see events from distributed peers, and not from the indexer running on the search head. I'm able to verify that it is indeed indexing data, but I have to explicitly add the SPL 'splunk_server=*'. Is this due to my current configuration, or is it possible I'm missing something in the configs? Appreciate any help anyone can provide! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-01-2020 01:13 PM