Why does our Splunk 6.3 Search Head Cluster fail only when a specific member...
I have built a search head cluster in our 6.3 Splunk environment. Distributed Searches, App roll out and general searches all work fine until a specific member of the SHCl is elected captain. What...
View ArticleIs the Splunk App for Web Analytics compatible with a Splunk 6.2.6 Search...
Is there any impediment to using the Splunk App for Web Analytics (v1.5) in a Splunk 6.2.6 Search Head Cluster? As a suggestion, the documentation could be updated using the template:...
View ArticleOne Splunk search head crashed which was part of a 4 member search head...
Hello, One of our splunk search heads crashed which was part of a 4 member search head cluster. The crashed server cannot be brought online anymore. How to remove it from the cluster setup so that I...
View ArticleWhy is a random outputs.conf file being automatically created and deployed to...
I have 3 search heads in a search head cluster, and I'm having some issues with building the outputs.conf files to them. I have 2 outputs.conf files I'd like to use. One is deployed via a deployer and...
View ArticleWhen trying to deploy a configuration bundle from deployer to search head...
In search head clustering you use a deployer instance to push apps to the search head cluster members using the command: $SPLUNK_HOME/bin: ./splunk apply shcluster-bundle -target...
View ArticleWhy do I get "Connection reset by peer" when I try to bootstrap the search...
Hi all, I receive this error when using the command `$SPLUNK_HOME/bin/splunk bootstrap shcluster-captain -servers_list "http://1.2.3.4:8089, http://5.6.7.8:8089, http://9.10.11.12:8089"` In handler...
View ArticleWhat is the curl command used on the deployer to apply shcluster-bundle?
Looking for a REST equivalent of this apply shcluster-bundle -target command: ./splunk apply shcluster-bundle -target https://10.75.4.105:8089 -auth admin:changeme --no-prompt --answer-yes I want to...
View ArticleShould I increase search head specs, add a new search head, or migrate to...
Hi all, We're starting to ramp up our usage of Splunk with a lot of extra data, eventually adding Enterprise Security, and people on other teams are starting to get into Splunk, requesting forwarder...
View Articlestate csv on search head cluster
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/ http://dev.splunk.com/view/SP-CAAAEY7 Is KV store better than state csv when I need high availability? The scheduled search that...
View ArticleIs KV Store better than a state CSV file when I need high availability in a...
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/ http://dev.splunk.com/view/SP-CAAAEY7 Is KV store better than state CSV when I need high availability? The scheduled search that...
View ArticleHow can I monitor the number of current artifacts (search jobs in dispatch)...
Hi, For troubleshooting and alerting purposes, I would like to be able to monitor the number of current active artifact objects in the dispatch directory of our search heads...
View ArticleSplunk Health Check Overview: Why are some search heads in our search head...
We have search head clustering implemented which involves a deployer and 3 search heads. On Navigating to "User Activity" page, under the "Search Head" drop-down, it only lists one search head. The...
View ArticleAfter bundle App distribution from the Deployer, why does the search head...
Hi All, Shouldn't the search head cluster captain be the last one to restart after a bundle app distribution from the Deployer? We noticed a couple of times that it was in fact the first to restart......
View ArticleHow do you update lookup tables when using search head clustering?
We have a lookup table that is automatically updated every 15 minutes past the hour with external results (not in splunk). This needs to be pushed out to our clustered search heads members. How would...
View ArticleAre there issues with deploying the Splunk App for Unix and Linux (5.0.3) &...
I have a distributed non-clustered Splunk Enterprise environment. I am planning to implement Search Head clustering and a multisite indexer cluster. I know that the current Nix and Windows Infra apps...
View ArticleUnable to bootstrap search head cluster captain
**Environment:** - Windows Server 2012 - Splunk Ent 6.3 - 3 Search Heads (all brand new instances) - 1 Instance which is both DMC and Deployer (documentation said this should be ok) - All on the same...
View ArticleWhy does the Deployer fail to deploy configuration bundle to search head...
Due to this error: Error while deploying apps to first member: ConfDeploymentException: Error while fetching apps baseline on target=http://[ip of the search head]:8089: Network-layer error: Connection...
View ArticleDo all server configurations need to be identical for both indexer and search...
Hi Experts, I have gone through the Capacity planning document and derived my Splunk server configurations based on the requirement. I have two search heads and two indexers each in two sites with...
View ArticleNot showing other search heads in cluster
i'm accessing my splunk cluster via the load balancer VIP address. The Splunk Health Check Overview app shows the currently logged on server, and the two indexers I have setup as search peers, but not...
View ArticleUpgraded to 6.2.6 in Search Head Cluster (SHC) environment and dispatch is...
Under 6.2.6 in my Search Head cluster (SHC) environment, I am starting to see the number of files grow in dispatch that are beyond their ttl and causing me to constantly monitor disk usage. Dispatch...
View Article