search head cluster bundle distribution restarts alert throttling
We noticed that after distribution from the deployer of new bundle, alerts that were under throttling conditions were refired after shc member restart. Is there a way to keep these throttling...
View ArticleAfter shcluster bundle distribution from the deployer, why are alerts with...
We noticed that after distribution from the deployer of a new bundle, alerts that were under throttling conditions were refired after search head cluster member restart. Is there a way to keep these...
View ArticleOptiv Threat Intel: How to troubleshoot why there is no data populating in...
I installed the Optiv Threat Intel app on a search head cluster, but data is not populating. Additionally, I added the optiv index to the peer indexers as well. However, I'm still not getting threat...
View ArticleWhy am I getting error "Got an invalid master uri ?" trying to apply the...
Hello everyone, I'm running into some trouble deploying apps to my search head cluster. I have a small demo environment set up in my home lab. 2 search heads, 2 indexers, a heavy forwarder, and an...
View ArticleSearch Head Clustering: What does "ERROR SHPRaftConsensus consecutive...
ERROR SHPRaftConsensus - 1040000 consecutive appendEntriesFailures This error is coming and I want to know how to address it. Please advise :)
View ArticleSearch Head Cluster: How to delete private pre-cluster dashboards?
We moved from a single search head set up to a Search Head cluster running 6.2.1. We are manually doing cleanup on knowledge objects created pre-cluster that can't be deleted or have permissions...
View ArticleWhy are searches that use lookups failing in a search head clustering...
Hi, We have recently migrated to a search head clustering environment, but unfortunately, all the searches using lookups are failing, but they work when we use local=t. Does this mean that the lookup...
View ArticleHow to migrate data from an environment with search head pooling and indexer...
We have 2 environments: 1st is 3 search heads in a cluster, w/ 2 indexers, not in a cluster. 2nd environment is 3 search heads (pooled) and 4 indexers (clustered), plus 1 cluster master. The intention...
View ArticleHow to configure a Splunk 6.2.3 search head cluster behind an AWS Elastic...
We are running 6.2.3 and are using search head clustering. We would like to use an AWS ELB to terminate SSL, and then send the data to port 8000 on the search head nodes. The problem is that Splunk Web...
View ArticleWhy am I getting "Error while deploying apps to first member...Network-layer...
Hello, After configuring search head clustering, it looks like it works, but when I try to deploy something from the deployer, I get this error: ERROR HttpClientRequest - HTTP client error: Connection...
View ArticleWhat are ideal role placements for Deployer, Deployment Server, & Distributed...
I've recently created a new multisite indexer and search head cluster topology, using separate VM''s for my license server and cluster master. I have an additional VM which I am going to use for one,...
View ArticleSplunk Support for Active Directory: "SSLError at...
Hello, I am attempting to configure SA-ldapsearch on our Splunk 6.3.1 cluster with search head cluster. I have installed SA-Ldapsearch on the deployer and pushed the bundle, no issue there. I am...
View ArticleDo I need to set the cluster_label for the search head cluster deployer in...
In my environment, our license master has the following roles: license master, cluster master, Search Head Cluster deployer, server with Distributed Management Console. As per the DMC documentation...
View ArticleWhat do I do if I have too many saved searches with status="continued" in my...
I have a search head cluster with quite a few saved searches that run every 5 mins. Sometimes, the status of a few saved searches become "continued". I understand that system will come back to that...
View ArticleHow to upgrade a standalone search head to a Search Head Cluster, and connect...
I have one standalone search head connected to 2 indexer clusters now. I would like to upgrade the standalone search head to a Search Head Cluster (with 3 members and a deployer). Is this possible? How...
View ArticleWhat do these bucket (indexer clustering) and acceptPush (search head...
**1)[Indexer Cluster]What does the following Error Message means:** 1-16-2015 11:14:48.129 -0500 WARN CMMaster - event=removePeerBuckets peer=3611AD96-B6BB-4B66-BDC0-9A09442F718F peer_name=index19...
View ArticleCan you make Splunk treat lookup files as local configuration in a search...
I am running a custom app that uses lookup files to get some of its configuration on a search head cluster. When the lookup files are edited on a search head, they replicate across to the others with...
View ArticleWhy would the lookup definition for kvstore type be missing in a Splunk 6.2.x...
Just finished setting up a kvstore collection within the collections.conf and pushed it out through the deployer to our search head cluster. Per the Distributed Management Console, everything is...
View ArticleWhy do scheduled searches randomly stop running in a Splunk 6.3.0 Search Head...
We're running a Search Head Cluster on Splunk 6.3.0. We have noticed that saved searches/alerts for some users stop dispatching seemingly at random. Issuing a rolling-restart on the cluster gets them...
View ArticleWhy is Search History not being replicated between members in a Splunk 6.3.1...
Just deployed a search head cluster on 6.3.1. Loving the new search history feature. Unfortunately the search history does not replicate between nodes, ie if you only see the history for the ad hoc...
View Article