How do you calculate max search concurrency in a search head cluster and an...
I know that how to calculate max search concurrency in stand-alone is below. normal search : max_hist_searches = max_search_per_cpu(* default is 1) * core + base_max_searches(* default is 6) normal...
View ArticleSplunk Distributed search peer not working as expected. There are multiple...
Hi All, We have 4 search head (non clustered) and 16 search peers (non clustered) . Each search head points to all 16 search peers. Recently one of our search head was getting freeze and no search was...
View ArticleCan you help us scale up a distributed search from one search head + one...
The plan is to scale up a current distributed search framework — from one search head (SH) + one indexer to one SH + two indexers. We are not planning to use an indexer cluster, so each indexer will...
View ArticleSearch head - Search peer communication direction in distributed enviroment
Hi all, I have a simple question: In a distributed environment (without SH cluster), what happens when I do a distributed search? As I understand the SH opens a connection to the search peer(s), send...
View ArticleI can't get fully results in distributed search.
When I have searched in search head, following message was displayed. **error: Some events cannot be displayed because they cannot be fetched from the remote search peer(s). This is likely caused by...
View Articlesplunk standalone search head migartion to new VM
we have our VM running in a dual role (search head + indexer) , i want to take out search head functionality completely from this VM and migrate only search head to another VM,. on our current search...
View ArticleHow can I determine where socket timeout is coming from when I peer indexer...
I am trying to solve an issue with some search heads that have had issues accepting a set of indexers. I am trying to add in indexers that have been networked to a new set of search heads. When I try...
View Articledistsearch.conf is overridden after updating through GUI , upon restarting...
We've SH Cluster environment and are seeing the following error ; "***Gave up waiting for the captain to establish a common bundle version across all search peers; using most recent bundles on all...
View ArticleSystem clock not identical in SH and indexer.
Hi Experts, I am getting below error in Setting -> Search peers ->Distributed search in my Splunk Search heads and Splunk deployment server. In Deployment Server: The times on the system clocks...
View Articledistributed search query works (kinda) but only returns single
Hi, We have 10 sites each with their own splunk server (search head, indexer etc). Each is collecting the same information and has the same index names. I want to run a distributed search queries so...
View ArticleBuild a distributed search environment with trial version?
Hello, i wanted to build a distributed search environment with splunk with the **trial license**. But for example, every time i wanted to configure one of my two instances as search-peer, and after I...
View ArticleSingle Search Head/Single Indexer (distributed search)
Hi, Is it possible to create a single search head instance ? And or a single indexer instane? - Or are the instances by default indexers?
View ArticleAdd standalone search head in existing sh cluster without conf configuration...
Hello guys, is adding standalone search head in existing sh cluster without conf configuration replications supported by Splunk? We have a sh searching clustered indexers with specific configuration...
View ArticleHow to discover if a search head cluster captain is static, dynamic, using...
How can I figure out that in established SHC showing captain is static or dynamic, using CLI or .conf files? I mean where can I see stanza regarding it?
View Articleexternal account unsuccessful attempts to authenticate to multiple hosts
Any help figuring out how to design a query for this would be helpful.
View ArticleUnable to add search peer from search head using distributed search :no route...
Issue:Unable to add search peer from search head using distributed search :no route to host or connection refused error we have 5 instance search head license master indexer search head enterprise...
View ArticleCan't see newly created indexes on search head in distributed search
I have a single indexer and single search head with the indexer attached as a search peer and I created one index called "winevent" on the indexer. I don't understand why the search head cannot see...
View Articlelookup access across non-clustered search heads
Hello experts and splunkers, I have a splunk environment which consists of 2 Search Heads, which are not clustered - let's say SH1 and SH2, and 2 Indexers, which are clustered. (Please assume, due to...
View ArticleGet data from different Splunk Instances
Hi, I have 3 different instances that are totally separate. 1. First one is Standalone single SH Enterprise server 2. Indexer Clustering Enterprise Servers 3. In this 3rd instance, I want to create a...
View ArticleSearch Heads are unable to distribute to Indexers
Find that it has the frequent error message that the search head cannot connect to the Indexer. "Unable to distribute to peer named xx.xx.xx.xx:8089 at uri=xx.xx.xx.xx:8089 using the uri-scheme=https...
View Article