Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Distributed search set up between A and B, node B missing source

orjanb314
Engager
‎09-29-2010 12:23 PM

In my company we have 2 servers running Splunk 4.1.5. Each one has the other configured to be a search peer in distributed search. So far only node A receives data for indexing and node B has only the default inputs. On node B most of the data from A is visible, but it's clear that much is missing. Most importantly no data with our Blucoat proxy as source shows up on node B.

I have also installed Splunk locally on my PC and configured it with both A and B as search peers. It has the same data as node B available. Anyone have any possible answers for this at the top of their heads?

Edit: I have made some screenshots to illustrate. I feel like I'm missing something very basic here, but I'm just a newbie. 😉

Splunk 1 Splunk 2

Tags (1)
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you still have a problem with this, just go into the splunk support page and they have all the infirmations there.

0 Karma
Reply

canadianman
New Member
‎09-20-2011 12:26 PM

If you need some help with this just go into the splunk support page, they have all the information there.

0 Karma
Reply

orjanb314
Engager
‎09-30-2010 06:19 AM

As far as I can see it doesn't matter what searches I do, the data simply isn't available on B.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 04:14 AM

It seems likely that the "missing" data on A is in a non-default index. Queries from your PC and from node B are implicitly querying the default indexes (as defined on the machine from which you run the search). Node A probably has modified its local default indexes to include the index containing your "missing" data.

You could test this by explicitly querying for index=* (assuming that on your PC/node B that you are in fact allowed to query for those indexes).

Reply

Genti
Splunk Employee
Splunk Employee
‎09-29-2010 09:16 PM

what are the searches that you are doing in both indexer A and indexer B to view the bluecoat data?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...