Missing Results in Splunk after update from 7 to 8

anae · ‎01-15-2020

Hi, we have a small cluster formed with two indexeres, one search head and one master.
After updating from splunk 7 to splunk 8, the search head will only show results from one of the indexers and not the other.
In the master head everything has green health, it sees both indexers and says they searchable, even though in reality I'm only getting results from one indexer.
Besides this, I've looked in the logs from the search head, the master head and the indexers, but nothing relevant appears.
Does anyone have a hint on what to do to get results from both indexers?

Thanks

DavidHourani · ‎01-15-2020

Hi @anae,

Could you please confirm that your search head is part of the cluster and configured as follows in server.conf :
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Configuresearchheadwithserverconf

It could be that you only have one of the indexers defined as a search peer on the SH which would only allow you to see data from one of the indexers.

Cheers,
David

anae · ‎01-15-2020

it's worth mentioning that if I open up the indexer in question and search directly on it, all the events are there - so it's receiving data and indexing

Missing Results in Splunk after update from 7 to 8

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!