Given two standalone Splunk environments, can I point one instance to search...
I am working with two Splunk standalone environments where each environment is a single server that acts as search head and indexer. Users currently have to log into both environments to run reports....
View ArticleTags in Distributed search
Hi at all, I have a custom application that uses more tags and eventtypes in a distributed environment (1 SH and 3 Ind). I have eventypes and tags definitions on Search Head but not on Indexers, but...
View ArticleProblem using the ML Toolkit 'apply' command streamed to the indexers in our...
We followed the Splunk documentation ML Toolkit/Python installation instructions for our Splunk 6.6.0 Linux environment including: Installing the Scientific Python & ML Toolkit on all search heads...
View ArticleWhere is the authorize.conf file located on Indexers or where is the pointer...
Trying to determine how I can tell on the indexers what authorize.conf file they have to conduct User Authorization for the indexes. I see this statement in the DistSearch/Whatsearchheadssend...
View ArticleAbout distributed search.
In my environment, I have two indexers for one Search head. I think that these commands like "search", "dedup", "transaction" are processed by indexer in distributed search. But are these commands in...
View ArticleDeployment error in distributed environment
Hi, When I try to deploy Apps on my search head (distributed environment) I have this error : ***Error while creating deployable apps: Error copying src="/opt/splunk/etc/shcluster" to...
View ArticleData not showing up on Search Head - Distributed environment
We have distributed splunk environment. I am using Splunk_TA_windows on universal forwarders to send security event logs to Heavy forwarder and then to indexer. I can see that data is being sent to...
View ArticleCan I use the same indexers for a Splunk Enterprise search head and another...
I am in process of Splunk Enterprise Security deployment. While deployment of Add-ons to my indexers, documentation says: ***"Splunk Enterprise Security is running on a complex deployment, such as one...
View ArticleHow to configure a different replication port for each splunk instance on...
I have an uncommon situation. We have multiple Splunk instances on a single unix instance; two search heads, one deployer, and two indexers. The problem now is to setup a search head cluster. Would...
View ArticleWhy is my custom streaming search-command executed on the search head?
I am trying to implement a custom streaming search-command right now. I would like to use the SCP v2 protocol with the splunklibs python interface. The command itself is running fine but the...
View ArticleDistributed Search error on gui configuration: entry not saved
After entering the search peer information into the Distributed Search-Add search peers window, I get the following error: Your entry was not saved. The following error was reported: SyntaxError:...
View ArticleDistributed search error on GUI configuration: entry not saved
After entering the search peer information into the Distributed Search-Add search peers window, I get the following error: Your entry was not saved. The following error was reported: SyntaxError:...
View ArticleSearch Heads in cluster are not able to replicate properly
Hi! There are 2 search heads in our production cluster. We have implemented Alert Manager app in our SH and it incorporates alert manager specific lookups,Data Models and event types. Some of the...
View ArticleError message when running a search on the search head - Unable to distribute...
I get the following error message when running a search on the search head: Unable to distribute to peer named :8089 at uri=:8089 using the uri-scheme=https because peer has status="Down". Please...
View ArticleAdding Search head and Indexer when SSH is open in custom port
Hi, I am connecting my search head to indexer. The issue is that since the sshd daemon is listening on 9999 port on both these server, they are not able to pass the keys. so how to make both these...
View ArticleWhere do you recommend installing the Cisco eStreamer eNcore Add-on for...
I have 1 search head, 2 Linux heavy forwarders, 1 indexer, 1 Deployment server, and 3 Windows heavy forwarders.
View ArticleOne Distributed Search Head Constantly Returning No Results
I have two separate search heads, one for admins to use and another for regular users. The search head for admins once or twice a week will need to have splunk service restarted in order to read from...
View ArticleDistributed Search Configuration
I am trying to configure my search head to search my indexer and i keep receiving the following error: Error while sending public key to search peer: Connect Timeout One of the troubleshooting steps...
View ArticleSearch head failed to trigger scheduled job
We have a savedSearch being scheduled, and an action selected to handle the alert. This is on a search head. But the action never triggered. The splunkd.log shows: event=SHPMaster::delegateSearchJob...
View ArticleDistributed KV store with 2 search head?
Hello. I'm running on RHEL 7 with 6.6.3 and an Indexer cluster (3 peers), and have 2 Search Heads not in a SHC but connected induvidually to the index cluster. I try to use KV store with a custom built...
View Article